From: Daniel Borkmann Date: Wed, 12 Jun 2013 14:02:27 +0000 (+0200) Subject: packet: packet_getname_spkt: make sure string is always 0-terminated X-Git-Tag: upstream/snapshot3+hdmi~4919^2~13 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2dc85bf323515e59e15dfa858d1472bb25cad0fe;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller --- diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 8ec1bca..20a1bd0 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2851,12 +2851,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, return -EOPNOTSUPP; uaddr->sa_family = AF_PACKET; + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); rcu_read_lock(); dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); if (dev) - strncpy(uaddr->sa_data, dev->name, 14); - else - memset(uaddr->sa_data, 0, 14); + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); rcu_read_unlock(); *uaddr_len = sizeof(*uaddr);