net: clear heap allocation for ETHTOOL_GRXCLSRLALL

commit ae6df5f9 upstream. Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel heap without clearing it. For the one driver (niu) that implements it, it will leave the unused portion of heap unchanged and copy the full contents back to userspace. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

net: clear heap allocation for ETHTOOL_GRXCLSRLALL
commit ae6df5f9 upstream. Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel heap without clearing it. For the one driver (niu) that implements it, it will leave the unused portion of heap unchanged and copy the full contents back to userspace. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
5c98bcd6 · Kees Cook · Greg Kroah-Hartman · 8993c9cb · 5c98bcd6
Commit 5c98bcd6 authored Oct 07, 2010 by Kees Cook Committed by Greg Kroah-Hartman Dec 09, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/core/ethtool.c net/core/ethtool.c +1 -1

No files found.
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -265,7 +265,7 @@ static int ethtool_get_rxnfc(struct net_device *dev,
 	if (info.cmd == ETHTOOL_GRXCLSRLALL) {
 		if (info.rule_cnt > 0) {
 			if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
-				rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
+				rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
 						   GFP_USER);
 			if (!rule_buf)
 				return -ENOMEM;