net/rds: Fix info leak in rds6_inc_info_copy() [Linux 4.19.72]

This Linux kernel change "net/rds: Fix info leak in rds6_inc_info_copy()" is included in the Linux 4.19.72 release. This change is authored by Ka-Cheong Poon <ka-cheong.poon [at] oracle.com> on Mon Aug 26 02:39:12 2019 -0700. The commit for this change in Linux stable tree is 9484203 (patch) which is from upstream commit 7d0a065. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 7d0a065.

net/rds: Fix info leak in rds6_inc_info_copy()

[ Upstream commit 7d0a06586b2686ba80c4a2da5f91cb10ffbea736 ]

The rds6_inc_info_copy() function has a couple struct members which
are leaking stack information.  The ->tos field should hold actual
information and the ->flags field needs to be zeroed out.

Fixes: 3eb450367d08 ("rds: add type of service(tos) infrastructure")
Fixes: b7ff8b1036f0 ("rds: Extend RDS API for IPv6 support")
Reported-by: 黄ID蝴蝶 <butterflyhuangxx@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

There are 5 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/rds/recv.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/rds/recv.c b/net/rds/recv.c
index 504cd6b..c0b9455 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2019 Oracle and/or its affiliates. All rights reserved.
  *
  * This software is available to you under a choice of one of two
  * licenses.  You may choose to be licensed under the terms of the GNU
@@ -803,6 +803,7 @@ void rds6_inc_info_copy(struct rds_incoming *inc,

    minfo6.seq = be64_to_cpu(inc->i_hdr.h_sequence);
    minfo6.len = be32_to_cpu(inc->i_hdr.h_len);
+   minfo6.tos = 0;

    if (flip) {
        minfo6.laddr = *daddr;
@@ -816,6 +817,8 @@ void rds6_inc_info_copy(struct rds_incoming *inc,
        minfo6.fport = inc->i_hdr.h_dport;
    }

+   minfo6.flags = 0;
+
    rds_info_copy(iter, &minfo6, sizeof(minfo6));
 }
 #endif

Leave a Reply

Your email address will not be published. Required fields are marked *