net: always initialize pagedlen

mainline inclusion from mainline-4.20 commit aba36930a35e category: bugfix bugzilla: 6118 CVE: NA ------------------------------------------------- In ip packet generation, pagedlen is initialized for each skb at the start of the loop in __ip(6)_append_data, before label alloc_new_skb. Depending on compiler options, code can be generated that jumps to this label, triggering use of an an uninitialized variable. In practice, at -O2, the generated code moves the initialization below the label. But the code should not rely on that for correctness. Fixes: 15e36f5b ("udp: paged allocation with gso") Signed-off-by: N Willem de Bruijn <willemb@google.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Keefe LIU <liuqifa@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

net: always initialize pagedlen
mainline inclusion from mainline-4.20 commit aba36930a35e category: bugfix bugzilla: 6118 CVE: NA ------------------------------------------------- In ip packet generation, pagedlen is initialized for each skb at the start of the loop in __ip(6)_append_data, before label alloc_new_skb. Depending on compiler options, code can be generated that jumps to this label, triggering use of an an uninitialized variable. In practice, at -O2, the generated code moves the initialization below the label. But the code should not rely on that for correctness. Fixes: 15e36f5b ("udp: paged allocation with gso") Signed-off-by: N Willem de Bruijn <willemb@google.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Keefe LIU <liuqifa@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
bcb1dc73 · Willem de Bruijn · Xie XiuQi · 014610d0 · bcb1dc73 · bcb1dc73
隐藏空白更改
内联并排

Showing with 4 addition and 2 deletion

net/ipv4/ip_output.c net/ipv4/ip_output.c +2 -1

net/ipv6/ip6_output.c net/ipv6/ip6_output.c +2 -1

未找到文件。
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -939,7 +939,7 @@ static int __ip_append_data(struct sock *sk,
 			unsigned int fraglen;
 			unsigned int fraggap;
 			unsigned int alloclen;
-			unsigned int pagedlen = 0;
+			unsigned int pagedlen;
 			struct sk_buff *skb_prev;
 alloc_new_skb:
 			skb_prev = skb;
@@ -956,6 +956,7 @@ static int __ip_append_data(struct sock *sk,
 			if (datalen > mtu - fragheaderlen)
 				datalen = maxfraglen - fragheaderlen;
 			fraglen = datalen + fragheaderlen;
+			pagedlen = 0;
 			if ((flags & MSG_MORE) &&
 			    !(rt->dst.dev->features&NETIF_F_SG))

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1355,7 +1355,7 @@ static int __ip6_append_data(struct sock *sk,
 			unsigned int fraglen;
 			unsigned int fraggap;
 			unsigned int alloclen;
-			unsigned int pagedlen = 0;
+			unsigned int pagedlen;
 alloc_new_skb:
 			/* There's no room in the current skb */
 			if (skb)
@@ -1379,6 +1379,7 @@ static int __ip6_append_data(struct sock *sk,
 			if (datalen > (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
 				datalen = maxfraglen - fragheaderlen - rt->dst.trailer_len;
 			fraglen = datalen + fragheaderlen;
+			pagedlen = 0;
 			if ((flags & MSG_MORE) &&
 			    !(rt->dst.dev->features&NETIF_F_SG))