34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
From: Mathias Krause <minipli@googlemail.com>
|
|
Date: Wed, 15 Aug 2012 11:31:51 +0000
|
|
Subject: Bluetooth: L2CAP - Fix info leak via getsockname()
|
|
|
|
[ Upstream commit 792039c73cf176c8e39a6e8beef2c94ff46522ed ]
|
|
|
|
The L2CAP code fails to initialize the l2_bdaddr_type member of struct
|
|
sockaddr_l2 and the padding byte added for alignment. It that for leaks
|
|
two bytes kernel stack via the getsockname() syscall. Add an explicit
|
|
memset(0) before filling the structure to avoid the info leak.
|
|
|
|
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
|
Cc: Marcel Holtmann <marcel@holtmann.org>
|
|
Cc: Gustavo Padovan <gustavo@padovan.org>
|
|
Cc: Johan Hedberg <johan.hedberg@gmail.com>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
---
|
|
net/bluetooth/l2cap_sock.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
|
|
index 5c406d3..6dedd6f 100644
|
|
--- a/net/bluetooth/l2cap_sock.c
|
|
+++ b/net/bluetooth/l2cap_sock.c
|
|
@@ -293,6 +293,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
|
|
|
|
BT_DBG("sock %p, sk %p", sock, sk);
|
|
|
|
+ memset(la, 0, sizeof(struct sockaddr_l2));
|
|
addr->sa_family = AF_BLUETOOTH;
|
|
*len = sizeof(struct sockaddr_l2);
|
|
|