tcp: fix out-of-bounds access in ULP sysctl

KASAN reports out-of-bound access in proc_dostring() coming from proc_tcp_available_ulp() because in case TCP ULP list is empty the buffer allocated for the response will not have anything printed into it. Set the first byte to zero to avoid strlen() going out-of-bounds. Fixes: 734942cc ("tcp: ULP infrastructure") Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>

tcp: fix out-of-bounds access in ULP sysctl
KASAN reports out-of-bound access in proc_dostring() coming from proc_tcp_available_ulp() because in case TCP ULP list is empty the buffer allocated for the response will not have anything printed into it. Set the first byte to zero to avoid strlen() going out-of-bounds. Fixes: 734942cc ("tcp: ULP infrastructure") Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>
926f38e9 · Jakub Kicinski · David S. Miller · 23994631 · 926f38e9
Commit 926f38e9 authored Jun 22, 2017 by Jakub Kicinski Committed by David S. Miller Jun 23, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

net/ipv4/tcp_ulp.c net/ipv4/tcp_ulp.c +1 -0

No files found.
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -88,6 +88,7 @@ void tcp_get_available_ulp(char *buf, size_t maxlen)
 	struct tcp_ulp_ops *ulp_ops;
 	size_t offs = 0;

+	*buf = '\0';
 	rcu_read_lock();
 	list_for_each_entry_rcu(ulp_ops, &tcp_ulp_list, list) {
 		offs += snprintf(buf + offs, maxlen - offs,