Bluetooth: RFCOMM - Fix info leak via getsockname()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The RFCOMM code fails to initialize the trailing padding byte of struct
sockaddr_rc added for alignment. It that for leaks one byte kernel stack
via the getsockname() syscall. Add an explicit memset(0) before filling
the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Mathias Krause and committed by

David S. Miller 13 years ago 9344a972 f9432c5e

1 changed file

expand all

net

bluetooth

rfcomm

sock.c

net/bluetooth/rfcomm/sock.c

··· 528 528 529 529 BT_DBG("sock %p, sk %p", sock, sk); 530 530 531 + memset(sa, 0, sizeof(*sa)); 531 532 sa->rc_family = AF_BLUETOOTH; 532 533 sa->rc_channel = rfcomm_pi(sk)->channel; 533 534 if (peer)