Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / bceaa90240b6019ed73b49965eac7d167610be69^! / . / net / ipv4 / udp.c
commitbceaa90240b6019ed73b49965eac7d167610be69[log] [tgz]
authorHannes Frederic Sowa <hannes@stressinduktion.org>Mon Nov 18 04:20:45 2013 +0100
committerDavid S. Miller <davem@davemloft.net>Mon Nov 18 15:12:03 2013 -0500
treef68c10948efff147a7b987369f1e720ad76f411b
parentbcd081a3aef1f7f3786067ae8dd26aaa1cf85153 [diff] [blame]
inet: prevent leakage of uninitialized memory to user in recv syscalls

Only update *addr_len when we actually fill in sockaddr, otherwise we
can return uninitialized memory from the stack to the caller in the
recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
checks because we only get called with a valid addr_len pointer either
from sock_common_recvmsg or inet_recvmsg.

If a blocking read waits on a socket which is concurrently shut down we
now return zero and set msg_msgnamelen to 0.

Reported-by: mpb <mpb.mail@gmail.com>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 89909dd..998431c 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c

@@ -1235,12 +1235,6 @@
 	int is_udplite = IS_UDPLITE(sk);
 	bool slow;
 
-	/*
-	 *	Check any passed addresses
-	 */
-	if (addr_len)
-		*addr_len = sizeof(*sin);
-
 	if (flags & MSG_ERRQUEUE)
 		return ip_recv_error(sk, msg, len);
 
@@ -1302,6 +1296,7 @@
 		sin->sin_port = udp_hdr(skb)->source;
 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
 		memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
+		*addr_len = sizeof(*sin);
 	}
 	if (inet->cmsg_flags)
 		ip_cmsg_recv(msg, skb);