提交 e3e5fc16 编写于 作者: M Mathias Krause 提交者: Steffen Klassert

xfrm_user: fix info leak in build_expire()

The memory reserved to dump the expired xfrm state includes padding
bytes in struct xfrm_user_expire added by the compiler for alignment. To
prevent the heap info leak, memset(0) the remainder of the struct.
Initializing the whole structure isn't needed as copy_to_user_state()
already takes care of clearing the padding bytes within the 'state'
member.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
上级 50329c8a
...@@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct ...@@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct
ue = nlmsg_data(nlh); ue = nlmsg_data(nlh);
copy_to_user_state(x, &ue->state); copy_to_user_state(x, &ue->state);
ue->hard = (c->data.hard != 0) ? 1 : 0; ue->hard = (c->data.hard != 0) ? 1 : 0;
/* clear the padding bytes */
memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));
err = xfrm_mark_put(skb, &x->mark); err = xfrm_mark_put(skb, &x->mark);
if (err) if (err)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册