Commit 3c445af8 authored by Mathias Krause's avatar Mathias Krause Committed by Willy Tarreau

llc: fix info leak via getsockname()

[ Upstream commit 3592aaeb ]

The LLC code wrongly returns 0, i.e. "success", when the socket is
zapped. Together with the uninitialized uaddrlen pointer argument from
sys_getsockname this leads to an arbitrary memory leak of up to 128
bytes kernel stack via the getsockname() syscall.

Return an error instead when the socket is zapped to prevent the info
leak. Also remove the unnecessary memset(0). We don't directly write to
the memory pointed by uaddr but memcpy() a local structure at the end of
the function that is properly initialized.
Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent 775ad2a8
...@@ -912,14 +912,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr, ...@@ -912,14 +912,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
struct sockaddr_llc sllc; struct sockaddr_llc sllc;
struct sock *sk = sock->sk; struct sock *sk = sock->sk;
struct llc_sock *llc = llc_sk(sk); struct llc_sock *llc = llc_sk(sk);
int rc = 0; int rc = -EBADF;
memset(&sllc, 0, sizeof(sllc)); memset(&sllc, 0, sizeof(sllc));
lock_sock(sk); lock_sock(sk);
if (sock_flag(sk, SOCK_ZAPPED)) if (sock_flag(sk, SOCK_ZAPPED))
goto out; goto out;
*uaddrlen = sizeof(sllc); *uaddrlen = sizeof(sllc);
memset(uaddr, 0, *uaddrlen);
if (peer) { if (peer) {
rc = -ENOTCONN; rc = -ENOTCONN;
if (sk->sk_state != TCP_ESTABLISHED) if (sk->sk_state != TCP_ESTABLISHED)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment