From: Dmitry Vyukov <dvyukov@xxxxxxxxxx> Date: Tue, 15 Dec 2015 21:00:20 +0100 > The problem is that llcp_sock_bind/llcp_raw_sock_bind do not check > sockaddr_len passed in, so they copy stack garbage from stack into the > socket and then return it in getsockname. > This can defeat ASLR, leak crypto keys, etc. That's actually the first thing these functions do. They completely clear out the on-stack llcp_addr, then they copy only as much as the user gave them, being careful not to use more than sizeof(llcp_addr). memset(&llcp_addr, 0, sizeof(llcp_addr)); len = min_t(unsigned int, sizeof(llcp_addr), alen); memcpy(&llcp_addr, addr, len); I don't see what the problem is, you'll need to be more specific. Even wrt. llcp_sock->service_name, the code limits the string to NFC_LLCP_MAX_SERVICE_NAME. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
