diff options
| author | Mathias Krause <minipli@googlemail.com> | 2012-09-19 11:33:40 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-09-20 18:08:39 -0400 |
| commit | 7b789836f434c87168eab067cfbed1ec4783dffd (patch) | |
| tree | fcebdddebb3990a07644c49f335b6193edaf6cb1 /net | |
| parent | f778a636713a435d3a922c60b1622a91136560c1 (diff) | |
| download | linux-3.10-7b789836f434c87168eab067cfbed1ec4783dffd.tar.gz linux-3.10-7b789836f434c87168eab067cfbed1ec4783dffd.tar.bz2 linux-3.10-7b789836f434c87168eab067cfbed1ec4783dffd.zip | |
xfrm_user: fix info leak in copy_to_user_policy()
The memory reserved to dump the xfrm policy includes multiple padding
bytes added by the compiler for alignment (padding bytes in struct
xfrm_selector and struct xfrm_userpolicy_info). Add an explicit
memset(0) before filling the buffer to avoid the heap info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/xfrm/xfrm_user.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index d585459dc8b..84dd85ceeee 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1320,6 +1320,7 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) { + memset(p, 0, sizeof(*p)); memcpy(&p->sel, &xp->selector, sizeof(p->sel)); memcpy(&p->lft, &xp->lft, sizeof(p->lft)); memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); |