inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb <mpb.mail@gmail.com> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: bceaa90240b6019ed73b49965eac7d167610be69 [log] [tgz]
author: Hannes Frederic Sowa <hannes@stressinduktion.org> Mon Nov 18 04:20:45 2013 +0100
committer: David S. Miller <davem@davemloft.net> Mon Nov 18 15:12:03 2013 -0500
tree: f68c10948efff147a7b987369f1e720ad76f411b
parent: bcd081a3aef1f7f3786067ae8dd26aaa1cf85153 [diff] [blame]
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index f3893e8..81eb8cf 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c

@@ -392,9 +392,6 @@
 	int is_udp4;
 	bool slow;
 
-	if (addr_len)
-		*addr_len = sizeof(struct sockaddr_in6);
-
 	if (flags & MSG_ERRQUEUE)
 		return ipv6_recv_error(sk, msg, len);
 
@@ -480,7 +477,7 @@
 				ipv6_iface_scope_id(&sin6->sin6_addr,
 						    IP6CB(skb)->iif);
 		}
-
+		*addr_len = sizeof(*sin6);
 	}
 	if (is_udp4) {
 		if (inet->cmsg_flags)
commit	bceaa90240b6019ed73b49965eac7d167610be69	[log] [tgz]
author	Hannes Frederic Sowa <hannes@stressinduktion.org>	Mon Nov 18 04:20:45 2013 +0100
committer	David S. Miller <davem@davemloft.net>	Mon Nov 18 15:12:03 2013 -0500
tree	f68c10948efff147a7b987369f1e720ad76f411b
parent	bcd081a3aef1f7f3786067ae8dd26aaa1cf85153 [diff] [blame]