git.openpandora.org / pandora-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ea54bc7) | patch
net: heap overflow in __audit_sockaddr()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 2 Oct 2013 21:27:20 +0000 (00:27 +0300)
committerBen Hutchings <ben@decadent.org.uk>
Thu, 28 Nov 2013 14:01:56 +0000 (14:01 +0000)
commitf1d515ce7d27262d9acb468aece806264886a9be
tree866f436aded6b2ccaa69e56617546ef288d47d7etree | snapshot
parentea54bc74c4cc418b395bc361fb1138255ea18080commit | diff
net: heap overflow in __audit_sockaddr()

[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ]

We need to cap ->msg_namelen or it leads to a buffer overflow when we
to the memcpy() in __audit_sockaddr().  It requires CAP_AUDIT_CONTROL to
exploit this bug.

The call tree is:
___sys_recvmsg()
  move_addr_to_user()
    audit_sockaddr()
      __audit_sockaddr()

Reported-by: Jüri Aedla <juri.aedla@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
net/compat.c diff | blob | history
net/socket.c diff | blob | history
Pandora Kernel Repository