l2tp: fix info leak in l2tp_ip6_recvmsg()
authorMathias Krause <minipli@googlemail.com>
Sun, 7 Apr 2013 01:51:55 +0000 (01:51 +0000)
committerDavid S. Miller <davem@davemloft.net>
Sun, 7 Apr 2013 20:28:01 +0000 (16:28 -0400)
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
in l2tp_ip6_recvmsg() in case msg_name is set.

Initialize l2tp_conn_id with 0 to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/l2tp/l2tp_ip6.c

index c74f5a91ff6a3213209c23ff488f0b475a552857..b8a6039314e868781d3130f06fbb78ced6c4a678 100644 (file)
@@ -690,6 +690,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
                lsa->l2tp_addr = ipv6_hdr(skb)->saddr;
                lsa->l2tp_flowinfo = 0;
                lsa->l2tp_scope_id = 0;
+               lsa->l2tp_conn_id = 0;
                if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
                        lsa->l2tp_scope_id = IP6CB(skb)->iif;
        }