| From fdc35e0619534b2733bb58e82fb5004942bc5725 Mon Sep 17 00:00:00 2001 |
| From: Amerigo Wang <amwang@redhat.com> |
| Date: Thu, 9 May 2013 21:56:37 +0000 |
| Subject: ipv6,gre: do not leak info to user-space |
| |
| |
| From: Amerigo Wang <amwang@redhat.com> |
| |
| [ Upstream commit 5dbd5068430b8bd1c19387d46d6c1a88b261257f ] |
| |
| There is a hole in struct ip6_tnl_parm2, so we have to |
| zero the struct on stack before copying it to user-space. |
| |
| Cc: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Cong Wang <amwang@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv6/ip6_gre.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/net/ipv6/ip6_gre.c |
| +++ b/net/ipv6/ip6_gre.c |
| @@ -1135,6 +1135,7 @@ static int ip6gre_tunnel_ioctl(struct ne |
| } |
| if (t == NULL) |
| t = netdev_priv(dev); |
| + memset(&p, 0, sizeof(p)); |
| ip6gre_tnl_parm_to_user(&p, &t->parms); |
| if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p))) |
| err = -EFAULT; |
| @@ -1182,6 +1183,7 @@ static int ip6gre_tunnel_ioctl(struct ne |
| if (t) { |
| err = 0; |
| |
| + memset(&p, 0, sizeof(p)); |
| ip6gre_tnl_parm_to_user(&p, &t->parms); |
| if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p))) |
| err = -EFAULT; |