forked from luck/tmp_suning_uos_patched
econet: 4 byte infoleak to the network
struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Acked-by: Phil Blundell <philb@gnu.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
4363c2fddb
commit
67c5c6cb81
|
@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
|
|||
udpdest.sin_addr.s_addr = htonl(network | addr.station);
|
||||
}
|
||||
|
||||
memset(&ah, 0, sizeof(ah));
|
||||
ah.port = port;
|
||||
ah.cb = cb & 0x7f;
|
||||
ah.code = 2; /* magic */
|
||||
ah.pad = 0;
|
||||
|
||||
/* tack our header on the front of the iovec */
|
||||
size = sizeof(struct aunhdr);
|
||||
|
|
Loading…
Reference in New Issue
Block a user