summaryrefslogtreecommitdiffstats
path: root/crypto/blkcipher.c
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2013-02-05 18:19:13 +0100
committerHerbert Xu <herbert@gondor.apana.org.au>2013-02-19 13:27:03 +0100
commit9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6 (patch)
tree321e685947c9d47ca369efabb061bf50e1921c1d /crypto/blkcipher.c
parentcrypto: caam - Added property fsl,sec-era in SEC4.0 device tree binding. (diff)
downloadlinux-9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6.tar.xz
linux-9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6.zip
crypto: user - fix info leaks in report API
Three errors resulting in kernel memory disclosure: 1/ The structures used for the netlink based crypto algorithm report API are located on the stack. As snprintf() does not fill the remainder of the buffer with null bytes, those stack bytes will be disclosed to users of the API. Switch to strncpy() to fix this. 2/ crypto_report_one() does not initialize all field of struct crypto_user_alg. Fix this to fix the heap info leak. 3/ For the module name we should copy only as many bytes as module_name() returns -- not as much as the destination buffer could hold. But the current code does not and therefore copies random data from behind the end of the module name, as the module name is always shorter than CRYPTO_MAX_ALG_NAME. Also switch to use strncpy() to copy the algorithm's name and driver_name. They are strings, after all. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'crypto/blkcipher.c')
-rw-r--r--crypto/blkcipher.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
index e9e7244d5ef5..a79e7e9ab86e 100644
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -499,9 +499,9 @@ static int crypto_blkcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
{
struct crypto_report_blkcipher rblkcipher;
- snprintf(rblkcipher.type, CRYPTO_MAX_ALG_NAME, "%s", "blkcipher");
- snprintf(rblkcipher.geniv, CRYPTO_MAX_ALG_NAME, "%s",
- alg->cra_blkcipher.geniv ?: "<default>");
+ strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type));
+ strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "<default>",
+ sizeof(rblkcipher.geniv));
rblkcipher.blocksize = alg->cra_blocksize;
rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize;