[Acked] [PATCH] llc: Fix missing msg_namelen update in llc_ui_recvmsg()

[Andy Whitcroft]

On Mon, May 20, 2013 at 01:06:43PM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
> 
> CVE-2013-3231
> 
> BugLink: https://bugs.launchpad.net/bugs/1172385
> 
> For stream sockets the code misses to update the msg_namelen member
> to 0 and therefore makes net/socket.c leak the local, uninitialized
> sockaddr_storage variable to userland -- 128 bytes of kernel stack
> memory. The msg_namelen update is also missing for datagram sockets
> in case the socket is shutting down during receive.
> 
> Fix both issues by setting msg_namelen to 0 early. It will be
> updated later if we're going to fill the msg_name member.
> 
> Cc: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit c77a4b9cffb6215a15196ec499490d116dfad181)
> 
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  net/llc/af_llc.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
> index 606b6ad..8a814a5 100644
> --- a/net/llc/af_llc.c
> +++ b/net/llc/af_llc.c
> @@ -674,6 +674,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
>  	int target;	/* Read at least this many bytes */
>  	long timeo;
>  
> +	msg->msg_namelen = 0;
> +
>  	lock_sock(sk);
>  	copied = -ENOTCONN;
>  	if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))

Clean cherry-pick of upstream of above sha1.  Looks to do what is
claimed.

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw