Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a117dacd authored by Mathias Krause's avatar Mathias Krause Committed by David S. Miller
Browse files

net/tun: fix ioctl() based info leaks 



The tun module leaks up to 36 bytes of memory by not fully initializing
a structure located on the stack that gets copied to user memory by the
TUNGETIFF and SIOCGIFHWADDR ioctl()s.

Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cac83e53

drivers/net/tun.c

+3 −1
Original line number Diff line number Diff line
@@ -1379,9 +1379,11 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, 
	int vnet_hdr_sz;

	int ret;



	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)

	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {

		if (copy_from_user(&ifr, argp, ifreq_len))

			return -EFAULT;

	} else

		memset(&ifr, 0, sizeof(ifr));



	if (cmd == TUNGETFEATURES) {

		/* Currently this just means: "what IFF flags are valid?".