Skip to content

Commit 4683f42

Browse files
miniplidavem330
authored andcommitted
Bluetooth: fix possible info leak in bt_sock_recvmsg()
In case the socket is already shutting down, bt_sock_recvmsg() returns with 0 without updating msg_namelen leading to net/socket.c leaking the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. Fix this by moving the msg_namelen assignment in front of the shutdown test. Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent ef3313e commit 4683f42

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

Diff for: net/bluetooth/af_bluetooth.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -230,15 +230,15 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
230230
if (flags & (MSG_OOB))
231231
return -EOPNOTSUPP;
232232

233+
msg->msg_namelen = 0;
234+
233235
skb = skb_recv_datagram(sk, flags, noblock, &err);
234236
if (!skb) {
235237
if (sk->sk_shutdown & RCV_SHUTDOWN)
236238
return 0;
237239
return err;
238240
}
239241

240-
msg->msg_namelen = 0;
241-
242242
copied = skb->len;
243243
if (len < copied) {
244244
msg->msg_flags |= MSG_TRUNC;

0 commit comments

Comments
 (0)