diff options
author | Mathias Krause <minipli@googlemail.com> | 2017-08-26 17:08:59 +0200 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2017-08-28 10:58:02 +0200 |
commit | e3e5fc1698ae35ac60d075b477e84accb96e2652 (patch) | |
tree | bf5e774b618ef41b75b83c01e1d120f5c8376c7a /net/xfrm | |
parent | 50329c8a340c9dea60d837645fcf13fc36bfb84d (diff) | |
download | op-kernel-dev-e3e5fc1698ae35ac60d075b477e84accb96e2652.zip op-kernel-dev-e3e5fc1698ae35ac60d075b477e84accb96e2652.tar.gz |
xfrm_user: fix info leak in build_expire()
The memory reserved to dump the expired xfrm state includes padding
bytes in struct xfrm_user_expire added by the compiler for alignment. To
prevent the heap info leak, memset(0) the remainder of the struct.
Initializing the whole structure isn't needed as copy_to_user_state()
already takes care of clearing the padding bytes within the 'state'
member.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_user.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index c33516e..2cbdc81 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct ue = nlmsg_data(nlh); copy_to_user_state(x, &ue->state); ue->hard = (c->data.hard != 0) ? 1 : 0; + /* clear the padding bytes */ + memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard)); err = xfrm_mark_put(skb, &x->mark); if (err) |