Commit 309cf37f authored by Mathias Krause's avatar Mathias Krause Committed by David S. Miller
Browse files

packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface 



Because we miss to wipe the remainder of i->addr[] in packet_mc_add(),
pdiag_put_mclist() leaks uninitialized heap bytes via the
PACKET_DIAG_MCLIST netlink attribute.

Fix this by explicitly memset(0)ing the remaining bytes in i->addr[].

Fixes: eea68e2f ("packet: Report socket mclist info via diag module")
Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Acked-by: default avatarPavel Emelyanov <xemul@virtuozzo.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 41015e89

net/packet/af_packet.c

+1 −0
Original line number Diff line number Diff line
@@ -3521,6 +3521,7 @@ static int packet_mc_add(struct sock *sk, struct packet_mreq_max *mreq) 
	i->ifindex = mreq->mr_ifindex;

	i->alen = mreq->mr_alen;

	memcpy(i->addr, mreq->mr_address, i->alen);

	memset(i->addr + i->alen, 0, sizeof(i->addr) - i->alen);

	i->count = 1;

	i->next = po->mclist;

	po->mclist = i;

CRA Git | Maintained and supported by SUSTech CRA and CCSE