tipc: fix an infoleak in tipc_nl_compat_link_dump

link_info.str is a char array of size 60. Memory after the NULL byte is not initialized. Sending the whole object out can cause a leak. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 5d2be142) CVE-2016-5243 BugLink: https://bugs.launchpad.net/bugs/1589036Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>

tipc: fix an infoleak in tipc_nl_compat_link_dump
link_info.str is a char array of size 60. Memory after the NULL byte is not initialized. Sending the whole object out can cause a leak. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 5d2be142) CVE-2016-5243 BugLink: https://bugs.launchpad.net/bugs/1589036Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
7c777506 · Kangjie Lu · Kamal Mostafa · fb4db11b · 7c777506
Commit 7c777506 authored Jul 14, 2016 by Kangjie Lu Committed by Kamal Mostafa Jul 18, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

net/tipc/netlink_compat.c net/tipc/netlink_compat.c +2 -1

No files found.
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -574,7 +574,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,

 	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
-	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
+	nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]),
+		    TIPC_MAX_LINK_NAME);

 	return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO,
 			    &link_info, sizeof(link_info));