Re: [ 102/184] Bluetooth: fix possible info leak in
From: Ben Hutchings
Date: Fri Jun 07 2013 - 02:35:23 EST
On Tue, 2013-06-04 at 19:23 +0200, Willy Tarreau wrote:
> 2.6.32-longterm review patch. If anyone has any objections, please let me know.
>
> ------------------
> bt_sock_recvmsg()
>
> From: Mathias Krause <minipli@xxxxxxxxxxxxxx>
commit 4683f42fde3977bdb4e8a09622788cc8b5313778 upstream.
> In case the socket is already shutting down, bt_sock_recvmsg() returns
> with 0 without updating msg_namelen leading to net/socket.c leaking the
> local, uninitialized sockaddr_storage variable to userland -- 128 bytes
> of kernel stack memory.
>
> Fix this by moving the msg_namelen assignment in front of the shutdown
> test.
>
> Cc: Marcel Holtmann <marcel@xxxxxxxxxxxx>
> Cc: Gustavo Padovan <gustavo@xxxxxxxxxxx>
> Cc: Johan Hedberg <johan.hedberg@xxxxxxxxx>
> Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> [dannf: adjusted to apply to Debian's 2.6.32]
> Signed-off-by: Willy Tarreau <w@xxxxxx>
> ---
> net/bluetooth/af_bluetooth.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 8cfb5a8..d7239dd 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -240,14 +240,14 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
> if (flags & (MSG_OOB))
> return -EOPNOTSUPP;
>
> + msg->msg_namelen = 0;
> +
> if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) {
> if (sk->sk_shutdown & RCV_SHUTDOWN)
> return 0;
> return err;
> }
>
> - msg->msg_namelen = 0;
> -
> copied = skb->len;
> if (len < copied) {
> msg->msg_flags |= MSG_TRUNC;
--
Ben Hutchings
Theory and practice are closer in theory than in practice.
- John Levine, moderator of comp.compilers
Attachment:
signature.asc
Description: This is a digitally signed message part