diff options
| author | Richard Alpe <[email protected]> | 2016-03-03 14:20:42 +0100 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2016-03-06 22:54:57 -0500 |
| commit | ddb3712552c8807c75576fb4fbdbb16f0d48b161 (patch) | |
| tree | d412f143ca686dc52c2acf5380d0d45af916eb38 /include/linux/timerqueue.h | |
| parent | 2837f39c7cdbd209ab04d1c1f4eca015a40d5cd6 (diff) | |
tipc: safely copy UDP netlink data from user
The netlink policy for TIPC_NLA_UDP_LOCAL and TIPC_NLA_UDP_REMOTE
is of type binary with a defined length. This causes the policy
framework to threat the defined length as maximum length.
There is however no protection against a user sending a smaller
amount of data. Prior to this patch this wasn't handled which could
result in a partially incomplete sockaddr_storage struct containing
uninitialized data.
In this patch we use nla_memcpy() when copying the user data. This
ensures a potential gap at the end is cleared out properly.
This was found by Julia with Coccinelle tool.
Reported-by: Daniel Borkmann <[email protected]>
Reported-by: Julia Lawall <[email protected]>
Signed-off-by: Richard Alpe <[email protected]>
Acked-by: Jon Maloy <[email protected]>
Reviewed-by: Erik Hugne <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions