Skip to content

Commit 29cd8ae

Browse files
miniplidavem330
authored andcommitted
dcbnl: fix various netlink info leaks
The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 84d73cd commit 29cd8ae

File tree

1 file changed

+8
-0
lines changed

1 file changed

+8
-0
lines changed

Diff for: net/dcb/dcbnl.c

+8
Original file line numberDiff line numberDiff line change
@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlmsghdr *nlh,
284284
if (!netdev->dcbnl_ops->getpermhwaddr)
285285
return -EOPNOTSUPP;
286286

287+
memset(perm_addr, 0, sizeof(perm_addr));
287288
netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
288289

289290
return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr);
@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
10421043

10431044
if (ops->ieee_getets) {
10441045
struct ieee_ets ets;
1046+
memset(&ets, 0, sizeof(ets));
10451047
err = ops->ieee_getets(netdev, &ets);
10461048
if (!err &&
10471049
nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets))
@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
10501052

10511053
if (ops->ieee_getmaxrate) {
10521054
struct ieee_maxrate maxrate;
1055+
memset(&maxrate, 0, sizeof(maxrate));
10531056
err = ops->ieee_getmaxrate(netdev, &maxrate);
10541057
if (!err) {
10551058
err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE,
@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
10611064

10621065
if (ops->ieee_getpfc) {
10631066
struct ieee_pfc pfc;
1067+
memset(&pfc, 0, sizeof(pfc));
10641068
err = ops->ieee_getpfc(netdev, &pfc);
10651069
if (!err &&
10661070
nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc))
@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
10941098
/* get peer info if available */
10951099
if (ops->ieee_peer_getets) {
10961100
struct ieee_ets ets;
1101+
memset(&ets, 0, sizeof(ets));
10971102
err = ops->ieee_peer_getets(netdev, &ets);
10981103
if (!err &&
10991104
nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets))
@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
11021107

11031108
if (ops->ieee_peer_getpfc) {
11041109
struct ieee_pfc pfc;
1110+
memset(&pfc, 0, sizeof(pfc));
11051111
err = ops->ieee_peer_getpfc(netdev, &pfc);
11061112
if (!err &&
11071113
nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc))
@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
12801286
/* peer info if available */
12811287
if (ops->cee_peer_getpg) {
12821288
struct cee_pg pg;
1289+
memset(&pg, 0, sizeof(pg));
12831290
err = ops->cee_peer_getpg(netdev, &pg);
12841291
if (!err &&
12851292
nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg))
@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
12881295

12891296
if (ops->cee_peer_getpfc) {
12901297
struct cee_pfc pfc;
1298+
memset(&pfc, 0, sizeof(pfc));
12911299
err = ops->cee_peer_getpfc(netdev, &pfc);
12921300
if (!err &&
12931301
nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc))

0 commit comments

Comments
 (0)