From: Mathias Krause Date: Sun, 7 Apr 2013 01:51:55 +0000 (+0000) Subject: l2tp: fix info leak in l2tp_ip6_recvmsg() X-Git-Tag: v3.9~70^2~19^2~7 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b860d3cc62877fad02863e2a08efff69a19382d2;p=platform%2Fkernel%2Flinux-amlogic.git l2tp: fix info leak in l2tp_ip6_recvmsg() The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack in l2tp_ip6_recvmsg() in case msg_name is set. Initialize l2tp_conn_id with 0 to avoid the info leak. Signed-off-by: Mathias Krause Signed-off-by: David S. Miller --- diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c index c74f5a9..b8a6039 100644 --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c @@ -690,6 +690,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk, lsa->l2tp_addr = ipv6_hdr(skb)->saddr; lsa->l2tp_flowinfo = 0; lsa->l2tp_scope_id = 0; + lsa->l2tp_conn_id = 0; if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL) lsa->l2tp_scope_id = IP6CB(skb)->iif; }