summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2017-08-26 17:08:59 +0200
committerSteffen Klassert <steffen.klassert@secunet.com>2017-08-28 10:58:02 +0200
commite3e5fc1698ae35ac60d075b477e84accb96e2652 (patch)
treebf5e774b618ef41b75b83c01e1d120f5c8376c7a
parentxfrm_user: fix info leak in xfrm_notify_sa() (diff)
downloadlinux-e3e5fc1698ae35ac60d075b477e84accb96e2652.tar.xz
linux-e3e5fc1698ae35ac60d075b477e84accb96e2652.zip
xfrm_user: fix info leak in build_expire()
The memory reserved to dump the expired xfrm state includes padding bytes in struct xfrm_user_expire added by the compiler for alignment. To prevent the heap info leak, memset(0) the remainder of the struct. Initializing the whole structure isn't needed as copy_to_user_state() already takes care of clearing the padding bytes within the 'state' member. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
-rw-r--r--net/xfrm/xfrm_user.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c33516ef52f2..2cbdc81610c6 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct
ue = nlmsg_data(nlh);
copy_to_user_state(x, &ue->state);
ue->hard = (c->data.hard != 0) ? 1 : 0;
+ /* clear the padding bytes */
+ memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));
err = xfrm_mark_put(skb, &x->mark);
if (err)