From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 23 Nov 2010 00:53:48 +0000 (-0800)
Subject: .32 patches
X-Git-Tag: v2.6.27.57~67
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6dce23997bee190121058318bc43dcb8858557a7;p=thirdparty%2Fkernel%2Fstable-queue.git

.32 patches
---

diff --git a/queue-2.6.32/net-clear-heap-allocation-for-ethtool_grxclsrlall.patch b/queue-2.6.32/net-clear-heap-allocation-for-ethtool_grxclsrlall.patch
new file mode 100644
index 00000000000..201aaccccd5
--- /dev/null
+++ b/queue-2.6.32/net-clear-heap-allocation-for-ethtool_grxclsrlall.patch
@@ -0,0 +1,34 @@
+From ae6df5f96a51818d6376da5307d773baeece4014 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees.cook@canonical.com>
+Date: Thu, 7 Oct 2010 10:03:48 +0000
+Subject: net: clear heap allocation for ETHTOOL_GRXCLSRLALL
+
+From: Kees Cook <kees.cook@canonical.com>
+
+commit ae6df5f96a51818d6376da5307d773baeece4014 upstream.
+
+Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
+heap without clearing it. For the one driver (niu) that implements it,
+it will leave the unused portion of heap unchanged and copy the full
+contents back to userspace.
+
+Signed-off-by: Kees Cook <kees.cook@canonical.com>
+Acked-by: Ben Hutchings <bhutchings@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/core/ethtool.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -265,7 +265,7 @@ static int ethtool_get_rxnfc(struct net_
+ 	if (info.cmd == ETHTOOL_GRXCLSRLALL) {
+ 		if (info.rule_cnt > 0) {
+ 			if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
+-				rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
++				rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
+ 						   GFP_USER);
+ 			if (!rule_buf)
+ 				return -ENOMEM;
diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index 864f11e39cc..60041a8e0df 100644
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -8,3 +8,4 @@ irda-fix-heap-memory-corruption-in-iriap.c.patch
 i2c-pca-platform-change-device-name-of-request_irq.patch
 sunrpc-after-calling-xprt_release-we-must-restart-from-call_reserve.patch
 microblaze-fix-build-with-make-3.82.patch
+net-clear-heap-allocation-for-ethtool_grxclsrlall.patch