From: Marcel Holtmann <marcel@holtmann.org>
To: netdev@vger.kernel.org
Cc: stable@kernel.org
Subject: Fix SO_ORIGINAL_DST information leak (CVE-2006-1343)
Date: Fri, 26 May 2006 13:50:46 +0200 [thread overview]
Message-ID: <1148644246.21881.7.camel@localhost> (raw)
[-- Attachment #1: Type: text/plain, Size: 295 bytes --]
Hi,
the fix for CVE-2006-1343 (information leak) never made it upstream:
http://marc.theaimsgroup.com/?l=linux-netdev&m=114148078223594&w=2
So here it is again against the latest git repository and with the
additional line in net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c.
Regards
Marcel
[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 1853 bytes --]
[PATCH] Fix small information leak in SO_ORIGINAL_DST
It appears that sockaddr_in.sin_zero is not zeroed during
getsockopt(...SO_ORIGINAL_DST...) operation. This can lead
to an information leak (CVE-2006-1343).
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
commit 8b9b62a6bb6c5488fd094d97216787e191721a15
tree fac8f79c318f37d4cb6795e540b77be61c9d1f5d
parent 705af309505681f197f81618440954d10f120dc0
author Marcel Holtmann <marcel@holtmann.org> Fri, 26 May 2006 13:45:42 +0200
committer Marcel Holtmann <marcel@holtmann.org> Fri, 26 May 2006 13:45:42 +0200
net/ipv4/netfilter/ip_conntrack_core.c | 1 +
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index 979a2ea..a297da7 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1318,6 +1318,7 @@ getorigdst(struct sock *sk, int optval,
.tuple.dst.u.tcp.port;
sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
.tuple.dst.ip;
+ memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 5bc9f64..77d9744 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -348,6 +348,7 @@ getorigdst(struct sock *sk, int optval,
.tuple.dst.u.tcp.port;
sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
.tuple.dst.u3.ip;
+ memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
next reply other threads:[~2006-05-26 11:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-26 11:50 Marcel Holtmann [this message]
2006-05-26 14:36 ` Fix SO_ORIGINAL_DST information leak (CVE-2006-1343) Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1148644246.21881.7.camel@localhost \
--to=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).