[thirdparty/kernel/stable-queue.git] / releases / 3.8.4 / bridge-fix-mdb-info-leaks.patch

From 9e989b12e61b81f93750f9eb5fb5aa147afb7cd9 Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@googlemail.com>
Date: Sat, 9 Mar 2013 05:52:19 +0000
Subject: bridge: fix mdb info leaks


From: Mathias Krause <minipli@googlemail.com>

[ Upstream commit c085c49920b2f900ba716b4ca1c1a55ece9872cc ]

The bridging code discloses heap and stack bytes via the RTM_GETMDB
netlink interface and via the notify messages send to group RTNLGRP_MDB
afer a successful add/del.

Fix both cases by initializing all unset members/padding bytes with
memset(0).

Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bridge/br_mdb.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/bridge/br_mdb.c
+++ b/net/bridge/br_mdb.c
@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_bu
 				port = p->port;
 				if (port) {
 					struct br_mdb_entry e;
+					memset(&e, 0, sizeof(e));
 					e.ifindex = port->dev->ifindex;
 					e.state = p->state;
 					if (p->addr.proto == htons(ETH_P_IP))
@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *s
 				break;
 
 			bpm = nlmsg_data(nlh);
+			memset(bpm, 0, sizeof(*bpm));
 			bpm->ifindex = dev->ifindex;
 			if (br_mdb_fill_info(skb, cb, dev) < 0)
 				goto out;
@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struc
 		return -EMSGSIZE;
 
 	bpm = nlmsg_data(nlh);
+	memset(bpm, 0, sizeof(*bpm));
 	bpm->family  = AF_BRIDGE;
 	bpm->ifindex = dev->ifindex;
 	nest = nla_nest_start(skb, MDBA_MDB);
@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *de
 {
 	struct br_mdb_entry entry;
 
+	memset(&entry, 0, sizeof(entry));
 	entry.ifindex = port->dev->ifindex;
 	entry.addr.proto = group->proto;
 	entry.addr.u.ip4 = group->u.ip4;
Commit	Line	Data
8002656c GKH	1	From 9e989b12e61b81f93750f9eb5fb5aa147afb7cd9 Mon Sep 17 00:00:00 2001
	2	From: Mathias Krause <minipli@googlemail.com>
	3	Date: Sat, 9 Mar 2013 05:52:19 +0000
	4	Subject: bridge: fix mdb info leaks
	5
	6
	7	From: Mathias Krause <minipli@googlemail.com>
	8
	9	[ Upstream commit c085c49920b2f900ba716b4ca1c1a55ece9872cc ]
	10
	11	The bridging code discloses heap and stack bytes via the RTM_GETMDB
	12	netlink interface and via the notify messages send to group RTNLGRP_MDB
	13	afer a successful add/del.
	14
	15	Fix both cases by initializing all unset members/padding bytes with
	16	memset(0).
	17
	18	Cc: Stephen Hemminger <stephen@networkplumber.org>
	19	Signed-off-by: Mathias Krause <minipli@googlemail.com>
	20	Signed-off-by: David S. Miller <davem@davemloft.net>
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22	---
	23	net/bridge/br_mdb.c \| 4 ++++
	24	1 file changed, 4 insertions(+)
	25
	26	--- a/net/bridge/br_mdb.c
	27	+++ b/net/bridge/br_mdb.c
	28	@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_bu
	29	port = p->port;
	30	if (port) {
	31	struct br_mdb_entry e;
	32	+ memset(&e, 0, sizeof(e));
	33	e.ifindex = port->dev->ifindex;
	34	e.state = p->state;
	35	if (p->addr.proto == htons(ETH_P_IP))
	36	@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *s
	37	break;
	38
	39	bpm = nlmsg_data(nlh);
	40	+ memset(bpm, 0, sizeof(*bpm));
	41	bpm->ifindex = dev->ifindex;
	42	if (br_mdb_fill_info(skb, cb, dev) < 0)
	43	goto out;
	44	@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struc
	45	return -EMSGSIZE;
	46
	47	bpm = nlmsg_data(nlh);
	48	+ memset(bpm, 0, sizeof(*bpm));
	49	bpm->family = AF_BRIDGE;
	50	bpm->ifindex = dev->ifindex;
	51	nest = nla_nest_start(skb, MDBA_MDB);
	52	@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *de
	53	{
	54	struct br_mdb_entry entry;
	55
	56	+ memset(&entry, 0, sizeof(entry));
	57	entry.ifindex = port->dev->ifindex;
	58	entry.addr.proto = group->proto;
	59	entry.addr.u.ip4 = group->u.ip4;