From 8bbebdd381517405bfaede680907d95753bafa87 Mon Sep 17 00:00:00 2001
From: Jiri Benc <jbenc@redhat.com>
Date: Thu, 10 Apr 2014 11:37:22 +0200
Subject: [PATCH] raw: fix reading of uninitialized memory on recv

When less bytes than the header size is read, do not indicate to the caller
that the read was successful, as the caller would read uninitialized memory.
To achieve that, subtract the header size unconditionally (unless an error
was returned by sk_receive).

In addition, do not check for Ethernet type when full Ethernet header was
not read. This again may lead to reading of uninitialized memory.

Signed-off-by: Jiri Benc <jbenc@redhat.com>
---
 raw.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/raw.c b/raw.c
index 1bfc1bb..795292f 100644
--- a/raw.c
+++ b/raw.c
@@ -244,6 +244,11 @@ static int raw_recv(struct transport *t, int fd, void *buf, int buflen,
 
 	cnt = sk_receive(fd, ptr, buflen, hwts, 0);
 
+	if (cnt >= 0)
+		cnt -= hlen;
+	if (cnt < 0)
+		return cnt;
+
 	if (raw->vlan) {
 		if (ETH_P_1588 == ntohs(hdr->type)) {
 			pr_notice("raw: disabling VLAN mode");
@@ -255,9 +260,6 @@ static int raw_recv(struct transport *t, int fd, void *buf, int buflen,
 			raw->vlan = 1;
 		}
 	}
-	if (cnt >= hlen)  {
-		cnt -= hlen;
-	}
 	return cnt;
 }