rtnl: fix info leak on RTM_GETLINK request for VF devices

[ Upstream commit 84d73cd3 ] Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

rtnl: fix info leak on RTM_GETLINK request for VF devices
[ Upstream commit 84d73cd3 ] Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
3385fcdb · Mathias Krause · Greg Kroah-Hartman · 2f401a6d · 3385fcdb
Commit 3385fcdb authored Mar 09, 2013 by Mathias Krause Committed by Greg Kroah-Hartman Mar 20, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

net/core/rtnetlink.c net/core/rtnetlink.c +1 -0

No files found.
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -963,6 +963,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
 			struct ifla_vf_mac vf_mac;
 			struct ifla_vf_vlan vf_vlan;
 			struct ifla_vf_tx_rate vf_tx_rate;
+			memset(ivi.mac, 0, sizeof(ivi.mac));
 			if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
 				break;
 			vf_mac.vf = vf_vlan.vf = vf_tx_rate.vf = ivi.vf;