[patch 65/71] can: Fix raw_getname() leak

From: Greg KH
Date: Fri Sep 04 2009 - 20:23:49 EST

2.6.30-stable review patch. If anyone has any objections, please let us know.

From: Eric Dumazet <eric.dumazet@xxxxxxxxx>

commit e84b90ae5eb3c112d1f208964df1d8156a538289 upstream.

raw_getname() can leak 10 bytes of kernel memory to user

(two bytes hole between can_family and can_ifindex,
8 bytes at the end of sockaddr_can structure)

Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Acked-by: Oliver Hartkopp <oliver@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

net/can/raw.c | 1 +
1 file changed, 1 insertion(+)

--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -397,6 +397,7 @@ static int raw_getname(struct socket *so
if (peer)

+ memset(addr, 0, sizeof(*addr));
addr->can_family = AF_CAN;
addr->can_ifindex = ro->ifindex;

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/