Google Git
Sign in
kernel / pub / scm / linux / kernel / git / stable / stable-queue / d4a7a066b6caec2b695cf0414a27491372676926 / . / releases / 3.9.3 / ipv6-gre-do-not-leak-info-to-user-space.patch
blob: 35b5b5054d8f9b2c76325ad40310f72e28ba7260 [file] [log] [blame]
From fdc35e0619534b2733bb58e82fb5004942bc5725 Mon Sep 17 00:00:00 2001
From: Amerigo Wang <amwang@redhat.com>
Date: Thu, 9 May 2013 21:56:37 +0000
Subject: ipv6,gre: do not leak info to user-space
From: Amerigo Wang <amwang@redhat.com>
[ Upstream commit 5dbd5068430b8bd1c19387d46d6c1a88b261257f ]
There is a hole in struct ip6_tnl_parm2, so we have to
zero the struct on stack before copying it to user-space.
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_gre.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1135,6 +1135,7 @@ static int ip6gre_tunnel_ioctl(struct ne
}
if (t == NULL)
t = netdev_priv(dev);
+ memset(&p, 0, sizeof(p));
ip6gre_tnl_parm_to_user(&p, &t->parms);
if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
err = -EFAULT;
@@ -1182,6 +1183,7 @@ static int ip6gre_tunnel_ioctl(struct ne
if (t) {
err = 0;
+ memset(&p, 0, sizeof(p));
ip6gre_tnl_parm_to_user(&p, &t->parms);
if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
err = -EFAULT;