]>
Commit | Line | Data |
---|---|---|
8002656c GKH |
1 | From 322aa953dd5565d1029a18d5bda0bd25a0dbb4bb Mon Sep 17 00:00:00 2001 |
2 | From: Mathias Krause <minipli@googlemail.com> | |
3 | Date: Sat, 9 Mar 2013 05:52:20 +0000 | |
4 | Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices | |
5 | ||
6 | ||
7 | From: Mathias Krause <minipli@googlemail.com> | |
8 | ||
9 | [ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ] | |
10 | ||
11 | Initialize the mac address buffer with 0 as the driver specific function | |
12 | will probably not fill the whole buffer. In fact, all in-kernel drivers | |
13 | fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible | |
14 | bytes. Therefore we currently leak 26 bytes of stack memory to userland | |
15 | via the netlink interface. | |
16 | ||
17 | Signed-off-by: Mathias Krause <minipli@googlemail.com> | |
18 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
20 | --- | |
21 | net/core/rtnetlink.c | 1 + | |
22 | 1 file changed, 1 insertion(+) | |
23 | ||
24 | --- a/net/core/rtnetlink.c | |
25 | +++ b/net/core/rtnetlink.c | |
26 | @@ -976,6 +976,7 @@ static int rtnl_fill_ifinfo(struct sk_bu | |
27 | * report anything. | |
28 | */ | |
29 | ivi.spoofchk = -1; | |
30 | + memset(ivi.mac, 0, sizeof(ivi.mac)); | |
31 | if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi)) | |
32 | break; | |
33 | vf_mac.vf = |