net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory

commit 320f1a4a upstream. proc_dostring() needs an initialized destination string, while the one provided in proc_sctp_do_hmac_alg() contains stack garbage. Thus, writing to cookie_hmac_alg would strlen() that garbage and end up accessing invalid memory. Fixes: 3c68198e ("sctp: Make hmac algorithm selection for cookie generation dynamic") Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
commit 320f1a4a upstream. proc_dostring() needs an initialized destination string, while the one provided in proc_sctp_do_hmac_alg() contains stack garbage. Thus, writing to cookie_hmac_alg would strlen() that garbage and end up accessing invalid memory. Fixes: 3c68198e ("sctp: Make hmac algorithm selection for cookie generation dynamic") Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
3c2a5619 · Sasha Levin · Luis Henriques · 17a02e0e · 3c2a5619
Commit 3c2a5619 authored Jan 07, 2016 by Sasha Levin Committed by Luis Henriques Jan 28, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/sctp/sysctl.c net/sctp/sysctl.c +1 -1

No files found.
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -324,7 +324,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
 	struct ctl_table tbl;
 	bool changed = false;
 	char *none = "none";
-	char tmp[8];
+	char tmp[8] = {0};
 	int ret;
 	memset(&tbl, 0, sizeof(struct ctl_table));