From: Richard Alpe <richard.a...@ericsson.com> Date: Thu, 3 Mar 2016 14:20:42 +0100
> The netlink policy for TIPC_NLA_UDP_LOCAL and TIPC_NLA_UDP_REMOTE > is of type binary with a defined length. This causes the policy > framework to threat the defined length as maximum length. > > There is however no protection against a user sending a smaller > amount of data. Prior to this patch this wasn't handled which could > result in a partially incomplete sockaddr_storage struct containing > uninitialized data. > > In this patch we use nla_memcpy() when copying the user data. This > ensures a potential gap at the end is cleared out properly. > > This was found by Julia with Coccinelle tool. > > Reported-by: Daniel Borkmann <dan...@iogearbox.net> > Reported-by: Julia Lawall <julia.law...@lip6.fr> > Signed-off-by: Richard Alpe <richard.a...@ericsson.com> > Acked-by: Jon Maloy <jon.ma...@ericsson.com> > Reviewed-by: Erik Hugne <erik.hu...@gmail.com> Applied.
