Diff - 85fbaa75037d0b6b786ff18658ddf0b4014ce2a4^! - kernel/linux-linaro-stable.git

commit	85fbaa75037d0b6b786ff18658ddf0b4014ce2a4	[log] [tgz]
author	Hannes Frederic Sowa <hannes@stressinduktion.org>	Sat Nov 23 00:46:12 2013 +0100
committer	David S. Miller <davem@davemloft.net>	Sat Nov 23 14:46:23 2013 -0800
tree	7b0fdc3767421d9bc9c2157f6b652026fbff99dd
parent	ca15a078bd907df5fc1c009477869c5cbde3b753 [diff] [blame]

inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions

Commit bceaa90240b6019ed73b49965eac7d167610be69 ("inet: prevent leakage
of uninitialized memory to user in recv syscalls") conditionally updated
addr_len if the msg_name is written to. The recv_error and rxpmtu
functions relied on the recvmsg functions to set up addr_len before.

As this does not happen any more we have to pass addr_len to those
functions as well and set it to the size of the corresponding sockaddr
length.

This broke traceroute and such.

Fixes: bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
Reported-by: Brad Spengler <spender@grsecurity.net>
Reported-by: Tom Labanowski
Cc: mpb <mpb.mail@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 876c6ca..840cf1b 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c

@@ -841,10 +841,11 @@
 
 	if (flags & MSG_ERRQUEUE) {
 		if (family == AF_INET) {
-			return ip_recv_error(sk, msg, len);
+			return ip_recv_error(sk, msg, len, addr_len);
 #if IS_ENABLED(CONFIG_IPV6)
 		} else if (family == AF_INET6) {
-			return pingv6_ops.ipv6_recv_error(sk, msg, len);
+			return pingv6_ops.ipv6_recv_error(sk, msg, len,
+							  addr_len);
 #endif
 		}
 	}