rtnl: fix info leak on RTM_GETLINK request for VF devices
authorMathias Krause <minipli@googlemail.com>
Sat, 9 Mar 2013 05:52:20 +0000 (05:52 +0000)
committerDavid S. Miller <davem@davemloft.net>
Sun, 10 Mar 2013 09:19:26 +0000 (05:19 -0400)
Initialize the mac address buffer with 0 as the driver specific function
will probably not fill the whole buffer. In fact, all in-kernel drivers
fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
bytes. Therefore we currently leak 26 bytes of stack memory to userland
via the netlink interface.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/rtnetlink.c

index b376410ff2590f3e10897488fd6c092df70faa4c..a585d45cc9d9faefbc51fde485971a1336065e58 100644 (file)
@@ -979,6 +979,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
                         * report anything.
                         */
                        ivi.spoofchk = -1;
+                       memset(ivi.mac, 0, sizeof(ivi.mac));
                        if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
                                break;
                        vf_mac.vf =