summaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2017-08-26 17:08:59 +0200
committerSteffen Klassert <steffen.klassert@secunet.com>2017-08-28 10:58:02 +0200
commite3e5fc1698ae35ac60d075b477e84accb96e2652 (patch)
treebf5e774b618ef41b75b83c01e1d120f5c8376c7a /net/xfrm
parent50329c8a340c9dea60d837645fcf13fc36bfb84d (diff)
downloadop-kernel-dev-e3e5fc1698ae35ac60d075b477e84accb96e2652.zip
op-kernel-dev-e3e5fc1698ae35ac60d075b477e84accb96e2652.tar.gz
xfrm_user: fix info leak in build_expire()
The memory reserved to dump the expired xfrm state includes padding bytes in struct xfrm_user_expire added by the compiler for alignment. To prevent the heap info leak, memset(0) the remainder of the struct. Initializing the whole structure isn't needed as copy_to_user_state() already takes care of clearing the padding bytes within the 'state' member. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_user.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c33516e..2cbdc81 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct
ue = nlmsg_data(nlh);
copy_to_user_state(x, &ue->state);
ue->hard = (c->data.hard != 0) ? 1 : 0;
+ /* clear the padding bytes */
+ memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));
err = xfrm_mark_put(skb, &x->mark);
if (err)
OpenPOWER on IntegriCloud