--- /dev/null
+From ae6df5f96a51818d6376da5307d773baeece4014 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees.cook@canonical.com>
+Date: Thu, 7 Oct 2010 10:03:48 +0000
+Subject: net: clear heap allocation for ETHTOOL_GRXCLSRLALL
+
+From: Kees Cook <kees.cook@canonical.com>
+
+commit ae6df5f96a51818d6376da5307d773baeece4014 upstream.
+
+Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
+heap without clearing it. For the one driver (niu) that implements it,
+it will leave the unused portion of heap unchanged and copy the full
+contents back to userspace.
+
+Signed-off-by: Kees Cook <kees.cook@canonical.com>
+Acked-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -258,7 +258,7 @@ static int ethtool_get_rxnfc(struct net_
+ if (info.cmd == ETHTOOL_GRXCLSRLALL) {
+ if (info.rule_cnt > 0) {
+ if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
+- rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
++ rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
+ GFP_USER);
+ if (!rule_buf)
+ return -ENOMEM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
