l2tp: fix info leak in l2tp_ip6_recvmsg() The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack in l2tp_ip6_recvmsg() in case msg_name is set. Initialize l2tp_conn_id with 0 to avoid the info leak. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: b860d3cc62877fad02863e2a08efff69a19382d2 [log] [tgz]
author: Mathias Krause <minipli@googlemail.com> Sun Apr 07 01:51:55 2013 +0000
committer: David S. Miller <davem@davemloft.net> Sun Apr 07 16:28:01 2013 -0400
tree: e654b34c09acf71de2864416e5d13cb3cd0c10f3
parent: a5598bd9c087dc0efc250a5221e5d0e6f584ee88 [diff] [blame]
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index c74f5a9..b8a6039 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c

@@ -690,6 +690,7 @@
 		lsa->l2tp_addr = ipv6_hdr(skb)->saddr;
 		lsa->l2tp_flowinfo = 0;
 		lsa->l2tp_scope_id = 0;
+		lsa->l2tp_conn_id = 0;
 		if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
 			lsa->l2tp_scope_id = IP6CB(skb)->iif;
 	}
commit	b860d3cc62877fad02863e2a08efff69a19382d2	[log] [tgz]
author	Mathias Krause <minipli@googlemail.com>	Sun Apr 07 01:51:55 2013 +0000
committer	David S. Miller <davem@davemloft.net>	Sun Apr 07 16:28:01 2013 -0400
tree	e654b34c09acf71de2864416e5d13cb3cd0c10f3
parent	a5598bd9c087dc0efc250a5221e5d0e6f584ee88 [diff] [blame]