• Mathias Krause's avatar
    netrom: fix info leak via msg_name in nr_recvmsg() · 3ce5efad
    Mathias Krause authored
    In case msg_name is set the sockaddr info gets filled out, as
    requested, but the code fails to initialize the padding bytes of
    struct sockaddr_ax25 inserted by the compiler for alignment. Also
    the sax25_ndigis member does not get assigned, leaking four more
    bytes.
    
    Both issues lead to the fact that the code will leak uninitialized
    kernel stack bytes in net/socket.c.
    
    Fix both issues by initializing the memory with memset(0).
    
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    3ce5efad
af_netrom.c 32.5 KB