Commit b9258a2cece4ec1f020715fe3554bc2e360f6264
Committed by
David S. Miller
1 parent
b1f4c209d8
slcan: Don't transmit uninitialized stack data in padding
struct can_frame contains some padding which is not explicitly zeroed in slc_bump. This uninitialized data will then be transmitted if the stack initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL). This commit just zeroes the whole struct including the padding. Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com> Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters") Reviewed-by: Kees Cook <keescook@chromium.org> Cc: linux-can@vger.kernel.org Cc: netdev@vger.kernel.org Cc: security@kernel.org Cc: wg@grandegger.com Cc: mkl@pengutronix.de Cc: davem@davemloft.net Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 1 additions and 3 deletions Side-by-side Diff
drivers/net/can/slcan.c
... | ... | @@ -148,7 +148,7 @@ |
148 | 148 | u32 tmpid; |
149 | 149 | char *cmd = sl->rbuff; |
150 | 150 | |
151 | - cf.can_id = 0; | |
151 | + memset(&cf, 0, sizeof(cf)); | |
152 | 152 | |
153 | 153 | switch (*cmd) { |
154 | 154 | case 'r': |
... | ... | @@ -186,8 +186,6 @@ |
186 | 186 | cf.can_dlc -= '0'; |
187 | 187 | else |
188 | 188 | return; |
189 | - | |
190 | - *(u64 *) (&cf.data) = 0; /* clear payload */ | |
191 | 189 | |
192 | 190 | /* RTR frames may have a dlc > 0 but they never have any data bytes */ |
193 | 191 | if (!(cf.can_id & CAN_RTR_FLAG)) { |