tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

af_packet: prevent information leak

In 2.6.27, commit 393e52e33c6c2 (packet: deliver VLAN TCI to userspace)
added a small information leak.

Add padding field and make sure its zeroed before copy to user.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Eric Dumazet and committed by
David S. Miller 13fcb7bd 79b38915

+4
+2
include/linux/if_packet.h
··· 62 62 __u16 tp_mac; 63 63 __u16 tp_net; 64 64 __u16 tp_vlan_tci; 65 + __u16 tp_padding; 65 66 }; 66 67 67 68 /* Rx ring - header status */ ··· 102 101 __u32 tp_sec; 103 102 __u32 tp_nsec; 104 103 __u16 tp_vlan_tci; 104 + __u16 tp_padding; 105 105 }; 106 106 107 107 #define TPACKET2_HDRLEN (TPACKET_ALIGN(sizeof(struct tpacket2_hdr)) + sizeof(struct sockaddr_ll))
+2
net/packet/af_packet.c
··· 804 804 } else { 805 805 h.h2->tp_vlan_tci = 0; 806 806 } 807 + h.h2->tp_padding = 0; 807 808 hdrlen = sizeof(*h.h2); 808 809 break; 809 810 default: ··· 1737 1736 } else { 1738 1737 aux.tp_vlan_tci = 0; 1739 1738 } 1739 + aux.tp_padding = 0; 1740 1740 put_cmsg(msg, SOL_PACKET, PACKET_AUXDATA, sizeof(aux), &aux); 1741 1741 } 1742 1742