]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
projects / thirdparty / kernel / stable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3e64405) | patch
net: heap overflow in __audit_sockaddr()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 2 Oct 2013 21:27:20 +0000 (00:27 +0300)
committerWilly Tarreau <w@1wt.eu>
Mon, 19 May 2014 05:53:32 +0000 (07:53 +0200)
commitafd86e972d729cc1722f942368a05e2ab12f3449
treec91d744a4e415726c1650b3c9b5c1c5263e65b6ftree
parent3e644055922658dd12c48c519f4e58b4294fd5abcommit | diff
net: heap overflow in __audit_sockaddr()

[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ]

We need to cap ->msg_namelen or it leads to a buffer overflow when we
to the memcpy() in __audit_sockaddr().  It requires CAP_AUDIT_CONTROL to
exploit this bug.

The call tree is:
___sys_recvmsg()
  move_addr_to_user()
    audit_sockaddr()
      __audit_sockaddr()

Reported-by: Jüri Aedla <juri.aedla@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[wt: 2.6.32: msg_sys is a struct, not a pointer]
Signed-off-by: Willy Tarreau <w@1wt.eu>
net/compat.c diff | blob | blame | history
net/socket.c diff | blob | blame | history
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git