econet: 4 byte infoleak to the network

struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch. Signed-off-by: N Vasiliy Kulikov <segoon@openwall.com> Acked-by: N Phil Blundell <philb@gnu.org> Signed-off-by: N David S. Miller <davem@davemloft.net>

econet: 4 byte infoleak to the network
struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch. Signed-off-by: N Vasiliy Kulikov <segoon@openwall.com> Acked-by: N Phil Blundell <philb@gnu.org> Signed-off-by: N David S. Miller <davem@davemloft.net>
67c5c6cb · Vasiliy Kulikov · David S. Miller · 4363c2fd · 67c5c6cb
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

net/econet/af_econet.c net/econet/af_econet.c +1 -1

未找到文件。
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 		udpdest.sin_addr.s_addr = htonl(network | addr.station);
 	}

+	memset(&ah, 0, sizeof(ah));
 	ah.port = port;
 	ah.cb = cb & 0x7f;
 	ah.code = 2;		/* magic */
-	ah.pad = 0;

 	/* tack our header on the front of the iovec */
 	size = sizeof(struct aunhdr);