Skip to content

Commit 3592aae

Browse files
miniplidavem330
authored andcommitted
llc: fix info leak via getsockname()
The LLC code wrongly returns 0, i.e. "success", when the socket is zapped. Together with the uninitialized uaddrlen pointer argument from sys_getsockname this leads to an arbitrary memory leak of up to 128 bytes kernel stack via the getsockname() syscall. Return an error instead when the socket is zapped to prevent the info leak. Also remove the unnecessary memset(0). We don't directly write to the memory pointed by uaddr but memcpy() a local structure at the end of the function that is properly initialized. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 04d4fbc commit 3592aae

File tree

1 file changed

+1
-2
lines changed

1 file changed

+1
-2
lines changed

Diff for: net/llc/af_llc.c

+1-2
Original file line numberDiff line numberDiff line change
@@ -969,14 +969,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
969969
struct sockaddr_llc sllc;
970970
struct sock *sk = sock->sk;
971971
struct llc_sock *llc = llc_sk(sk);
972-
int rc = 0;
972+
int rc = -EBADF;
973973

974974
memset(&sllc, 0, sizeof(sllc));
975975
lock_sock(sk);
976976
if (sock_flag(sk, SOCK_ZAPPED))
977977
goto out;
978978
*uaddrlen = sizeof(sllc);
979-
memset(uaddr, 0, *uaddrlen);
980979
if (peer) {
981980
rc = -ENOTCONN;
982981
if (sk->sk_state != TCP_ESTABLISHED)

0 commit comments

Comments
 (0)