Commit ae6df5f9 authored by Kees Cook's avatar Kees Cook Committed by David S. Miller

net: clear heap allocation for ETHTOOL_GRXCLSRLALL

Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
heap without clearing it. For the one driver (niu) that implements it,
it will leave the unused portion of heap unchanged and copy the full
contents back to userspace.
Signed-off-by: default avatarKees Cook <kees.cook@canonical.com>
Acked-by: default avatarBen Hutchings <bhutchings@solarflare.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 94b10572
...@@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, ...@@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
if (info.cmd == ETHTOOL_GRXCLSRLALL) { if (info.cmd == ETHTOOL_GRXCLSRLALL) {
if (info.rule_cnt > 0) { if (info.rule_cnt > 0) {
if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
rule_buf = kmalloc(info.rule_cnt * sizeof(u32), rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
GFP_USER); GFP_USER);
if (!rule_buf) if (!rule_buf)
return -ENOMEM; return -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment