diff options
author | Hannes Frederic Sowa <hannes@stressinduktion.org> | 2013-11-18 04:20:45 +0100 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2014-05-19 07:53:59 +0200 |
commit | f8e4f8fc477a233429d60e7ed4acdc5e09337af9 (patch) | |
tree | 4d923f70d71af91803333e56f060d8dbb5cb8f1b /net/ipv6/udp.c | |
parent | c091517bfcde5e59ef4f8f1355761dbe2b04c6ff (diff) |
inet: prevent leakage of uninitialized memory to user in recv syscalls
[ Upstream commit bceaa90240b6019ed73b49965eac7d167610be69 ]
Only update *addr_len when we actually fill in sockaddr, otherwise we
can return uninitialized memory from the stack to the caller in the
recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
checks because we only get called with a valid addr_len pointer either
from sock_common_recvmsg or inet_recvmsg.
If a blocking read waits on a socket which is concurrently shut down we
now return zero and set msg_msgnamelen to 0.
Reported-by: mpb <mpb.mail@gmail.com>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[wt: no ieee802154, ping nor l2tp in 2.6.32]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Diffstat (limited to 'net/ipv6/udp.c')
-rw-r--r-- | net/ipv6/udp.c | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index d8c037440078..ce291af0f95d 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -200,9 +200,6 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, int is_udplite = IS_UDPLITE(sk); int is_udp4; - if (addr_len) - *addr_len=sizeof(struct sockaddr_in6); - if (flags & MSG_ERRQUEUE) return ipv6_recv_error(sk, msg, len); @@ -273,7 +270,7 @@ try_again: if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LINKLOCAL) sin6->sin6_scope_id = IP6CB(skb)->iif; } - + *addr_len = sizeof(*sin6); } if (is_udp4) { if (inet->cmsg_flags) |