Commit 3d4997da authored by Kangjie Lu's avatar Kangjie Lu Committed by Ben Hutchings

tipc: fix an infoleak in tipc_nl_compat_link_dump

commit 5d2be142 upstream.

link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.
Signed-off-by: default avatarKangjie Lu <kjlu@gatech.edu>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
[carnil: Backported to 3.16 (same as bwh did for 3.2): the unpadded strcpy() is
in tipc_node_get_links() and no nlattr is involved, so use strncpy()]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent ece77e42
...@@ -417,7 +417,8 @@ struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space) ...@@ -417,7 +417,8 @@ struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space)
continue; continue;
link_info.dest = htonl(n_ptr->addr); link_info.dest = htonl(n_ptr->addr);
link_info.up = htonl(tipc_link_is_up(n_ptr->links[i])); link_info.up = htonl(tipc_link_is_up(n_ptr->links[i]));
strcpy(link_info.str, n_ptr->links[i]->name); strncpy(link_info.str, n_ptr->links[i]->name,
sizeof(link_info.str));
tipc_cfg_append_tlv(buf, TIPC_TLV_LINK_INFO, tipc_cfg_append_tlv(buf, TIPC_TLV_LINK_INFO,
&link_info, sizeof(link_info)); &link_info, sizeof(link_info));
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment