Commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0
Committed by
David S. Miller
David S. Miller
1 parent
84d73cd3fb
Exists in
smarc-l5.0.0_1.0.0-ga
and in
5 other branches
dcbnl: fix various netlink info leaks
The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 8 additions and 0 deletions Side-by-side Diff
net/dcb/dcbnl.c
| ... | ... | @@ -284,6 +284,7 @@ |
| 284 | 284 | if (!netdev->dcbnl_ops->getpermhwaddr) |
| 285 | 285 | return -EOPNOTSUPP; |
| 286 | 286 | |
| 287 | + memset(perm_addr, 0, sizeof(perm_addr)); | |
| 287 | 288 | netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); |
| 288 | 289 | |
| 289 | 290 | return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr); |
| ... | ... | @@ -1042,6 +1043,7 @@ |
| 1042 | 1043 | |
| 1043 | 1044 | if (ops->ieee_getets) { |
| 1044 | 1045 | struct ieee_ets ets; |
| 1046 | + memset(&ets, 0, sizeof(ets)); | |
| 1045 | 1047 | err = ops->ieee_getets(netdev, &ets); |
| 1046 | 1048 | if (!err && |
| 1047 | 1049 | nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets)) |
| ... | ... | @@ -1050,6 +1052,7 @@ |
| 1050 | 1052 | |
| 1051 | 1053 | if (ops->ieee_getmaxrate) { |
| 1052 | 1054 | struct ieee_maxrate maxrate; |
| 1055 | + memset(&maxrate, 0, sizeof(maxrate)); | |
| 1053 | 1056 | err = ops->ieee_getmaxrate(netdev, &maxrate); |
| 1054 | 1057 | if (!err) { |
| 1055 | 1058 | err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE, |
| ... | ... | @@ -1061,6 +1064,7 @@ |
| 1061 | 1064 | |
| 1062 | 1065 | if (ops->ieee_getpfc) { |
| 1063 | 1066 | struct ieee_pfc pfc; |
| 1067 | + memset(&pfc, 0, sizeof(pfc)); | |
| 1064 | 1068 | err = ops->ieee_getpfc(netdev, &pfc); |
| 1065 | 1069 | if (!err && |
| 1066 | 1070 | nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc)) |
| ... | ... | @@ -1094,6 +1098,7 @@ |
| 1094 | 1098 | /* get peer info if available */ |
| 1095 | 1099 | if (ops->ieee_peer_getets) { |
| 1096 | 1100 | struct ieee_ets ets; |
| 1101 | + memset(&ets, 0, sizeof(ets)); | |
| 1097 | 1102 | err = ops->ieee_peer_getets(netdev, &ets); |
| 1098 | 1103 | if (!err && |
| 1099 | 1104 | nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets)) |
| ... | ... | @@ -1102,6 +1107,7 @@ |
| 1102 | 1107 | |
| 1103 | 1108 | if (ops->ieee_peer_getpfc) { |
| 1104 | 1109 | struct ieee_pfc pfc; |
| 1110 | + memset(&pfc, 0, sizeof(pfc)); | |
| 1105 | 1111 | err = ops->ieee_peer_getpfc(netdev, &pfc); |
| 1106 | 1112 | if (!err && |
| 1107 | 1113 | nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc)) |
| ... | ... | @@ -1280,6 +1286,7 @@ |
| 1280 | 1286 | /* peer info if available */ |
| 1281 | 1287 | if (ops->cee_peer_getpg) { |
| 1282 | 1288 | struct cee_pg pg; |
| 1289 | + memset(&pg, 0, sizeof(pg)); | |
| 1283 | 1290 | err = ops->cee_peer_getpg(netdev, &pg); |
| 1284 | 1291 | if (!err && |
| 1285 | 1292 | nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg)) |
| ... | ... | @@ -1288,6 +1295,7 @@ |
| 1288 | 1295 | |
| 1289 | 1296 | if (ops->cee_peer_getpfc) { |
| 1290 | 1297 | struct cee_pfc pfc; |
| 1298 | + memset(&pfc, 0, sizeof(pfc)); | |
| 1291 | 1299 | err = ops->cee_peer_getpfc(netdev, &pfc); |
| 1292 | 1300 | if (!err && |
| 1293 | 1301 | nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc)) |