+2
−0
+20
−4
Loading
Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more
We need to cap ->msg_namelen or it leads to a buffer overflow when we
to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
exploit this bug.
The call tree is:
___sys_recvmsg()
move_addr_to_user()
audit_sockaddr()
__audit_sockaddr()
Reported-by:
Jüri Aedla <juri.aedla@gmail.com>
Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by:
David S. Miller <davem@davemloft.net>