[kernel/f18] CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)

[Josh Boyer]

commit aba5c507e373e6a53b56f435b952a22c96c52807
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Apr 24 08:52:41 2013 -0400

    CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)

 kernel.spec                                  |    7 +++++
 l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch |   32 ++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index a3e1d2d..8f056ce 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -829,6 +829,9 @@ Patch25022: netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
 #CVE-2013-3231 956094 956104
 Patch25023: llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
 
+#CVE-2013-3230 956088 956089
+Patch25024: l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1608,6 +1611,9 @@ ApplyPatch netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
 #CVE-2013-3231 956094 956104
 ApplyPatch llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
 
+#CVE-2013-3230 956088 956089
+ApplyPatch l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2466,6 +2472,7 @@ fi
 #                 ||     ||
 %changelog
 * Wed Apr 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)
 - CVE-2013-3231 llc: Fix missing msg_namelen update in llc_ui_recvmsg (rhbz 956094 956104)
 - CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
 - CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)
diff --git a/l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch b/l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
new file mode 100644
index 0000000..5ea7a7d
--- /dev/null
+++ b/l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
@@ -0,0 +1,32 @@
+From b860d3cc62877fad02863e2a08efff69a19382d2 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:55 +0000
+Subject: [PATCH] l2tp: fix info leak in l2tp_ip6_recvmsg()
+
+The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
+struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
+in l2tp_ip6_recvmsg() in case msg_name is set.
+
+Initialize l2tp_conn_id with 0 to avoid the info leak.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/l2tp/l2tp_ip6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index c74f5a9..b8a6039 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -690,6 +690,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 		lsa->l2tp_addr = ipv6_hdr(skb)->saddr;
+ 		lsa->l2tp_flowinfo = 0;
+ 		lsa->l2tp_scope_id = 0;
++		lsa->l2tp_conn_id = 0;
+ 		if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
+ 			lsa->l2tp_scope_id = IP6CB(skb)->iif;
+ 	}
+-- 
+1.8.1.4
+