On Tue, 2013-06-04 at 19:23 +0200, Willy Tarreau wrote: > 2.6.32-longterm review patch. If anyone has any objections, please let me know. > > ------------------ > bt_sock_recvmsg() > > From: Mathias Krause <minipli@xxxxxxxxxxxxxx> commit 4683f42fde3977bdb4e8a09622788cc8b5313778 upstream. > In case the socket is already shutting down, bt_sock_recvmsg() returns > with 0 without updating msg_namelen leading to net/socket.c leaking the > local, uninitialized sockaddr_storage variable to userland -- 128 bytes > of kernel stack memory. > > Fix this by moving the msg_namelen assignment in front of the shutdown > test. > > Cc: Marcel Holtmann <marcel@xxxxxxxxxxxx> > Cc: Gustavo Padovan <gustavo@xxxxxxxxxxx> > Cc: Johan Hedberg <johan.hedberg@xxxxxxxxx> > Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx> > Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> > [dannf: adjusted to apply to Debian's 2.6.32] > Signed-off-by: Willy Tarreau <w@xxxxxx> > --- > net/bluetooth/af_bluetooth.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c > index 8cfb5a8..d7239dd 100644 > --- a/net/bluetooth/af_bluetooth.c > +++ b/net/bluetooth/af_bluetooth.c > @@ -240,14 +240,14 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, > if (flags & (MSG_OOB)) > return -EOPNOTSUPP; > > + msg->msg_namelen = 0; > + > if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) { > if (sk->sk_shutdown & RCV_SHUTDOWN) > return 0; > return err; > } > > - msg->msg_namelen = 0; > - > copied = skb->len; > if (len < copied) { > msg->msg_flags |= MSG_TRUNC; -- Ben Hutchings Theory and practice are closer in theory than in practice. - John Levine, moderator of comp.compilers
Attachment:
signature.asc
Description: This is a digitally signed message part