Commit ae6df5f9 authored Oct 07, 2010 by Kees Cook Committed by David S. Miller Oct 08, 2010

net: clear heap allocation for ETHTOOL_GRXCLSRLALL



Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
heap without clearing it. For the one driver (niu) that implements it,
it will leave the unused portion of heap unchanged and copy the full
contents back to userspace.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 94b10572

net/core/ethtool.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
		if (info.cmd == ETHTOOL_GRXCLSRLALL) {
		if (info.rule_cnt > 0) {
		if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
		rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
		rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
		GFP_USER);
		if (!rule_buf)
		return -ENOMEM;