wext: fix potential private ioctl memory content leak

When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems better to be safe here, so use kzalloc. Reported-by: N Jeff Mahoney <jeffm@suse.com> Cc: stable@kernel.org Signed-off-by: N Johannes Berg <johannes.berg@intel.com> Signed-off-by: N John W. Linville <linville@tuxdriver.com>

wext: fix potential private ioctl memory content leak
When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems better to be safe here, so use kzalloc. Reported-by: N Jeff Mahoney <jeffm@suse.com> Cc: stable@kernel.org Signed-off-by: N Johannes Berg <johannes.berg@intel.com> Signed-off-by: N John W. Linville <linville@tuxdriver.com>
df6d0230 · Johannes Berg · John W. Linville · 7acc7c68 · df6d0230
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

net/wireless/wext-priv.c net/wireless/wext-priv.c +1 -1

未找到文件。
--- a/net/wireless/wext-priv.c
+++ b/net/wireless/wext-priv.c
@@ -152,7 +152,7 @@ static int ioctl_private_iw_point(struct iw_point *iwp, unsigned int cmd,
 	} else if (!iwp->pointer)
 		return -EFAULT;
-	extra = kmalloc(extra_size, GFP_KERNEL);
+	extra = kzalloc(extra_size, GFP_KERNEL);
 	if (!extra)
 		return -ENOMEM;