Bluetooth: L2CAP - Fix info leak via getsockname()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The L2CAP code fails to initialize the l2_bdaddr_type member of struct
sockaddr_l2 and the padding byte added for alignment. It that for leaks
two bytes kernel stack via the getsockname() syscall. Add an explicit
memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Mathias Krause and committed by

David S. Miller 13 years ago 792039c7 9344a972

1 changed file

expand all

net

bluetooth

l2cap_sock.c

net/bluetooth/l2cap_sock.c

··· 245 245 246 246 BT_DBG("sock %p, sk %p", sock, sk); 247 247 248 + memset(la, 0, sizeof(struct sockaddr_l2)); 248 249 addr->sa_family = AF_BLUETOOTH; 249 250 *len = sizeof(struct sockaddr_l2); 250 251