aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Borkmann <dborkman@redhat.com>2013-06-12 16:02:27 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-06-27 10:34:33 -0700
commitb4d45a2af9c9ca5c14e00375366125e7c31d5293 (patch)
tree3baa2de8d222632222df024f1e162204c4f9360c
parentbba0c7f5421c40314ef48be4a7540efa76166dcd (diff)
downloadkernel_samsung_aries-b4d45a2af9c9ca5c14e00375366125e7c31d5293.zip
kernel_samsung_aries-b4d45a2af9c9ca5c14e00375366125e7c31d5293.tar.gz
kernel_samsung_aries-b4d45a2af9c9ca5c14e00375366125e7c31d5293.tar.bz2
packet: packet_getname_spkt: make sure string is always 0-terminated
[ Upstream commit 2dc85bf323515e59e15dfa858d1472bb25cad0fe ] uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/packet/af_packet.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 4058afe..d596ceb 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1767,12 +1767,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
return -EOPNOTSUPP;
uaddr->sa_family = AF_PACKET;
+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
rcu_read_lock();
dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
if (dev)
- strncpy(uaddr->sa_data, dev->name, 14);
- else
- memset(uaddr->sa_data, 0, 14);
+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
rcu_read_unlock();
*uaddr_len = sizeof(*uaddr);