xfrm_user: fix info leak in copy_user_offload()
authorMathias Krause <minipli@googlemail.com>
Sat, 26 Aug 2017 15:08:57 +0000 (17:08 +0200)
committerSteffen Klassert <steffen.klassert@secunet.com>
Mon, 28 Aug 2017 08:58:02 +0000 (10:58 +0200)
The memory reserved to dump the xfrm offload state includes padding
bytes of struct xfrm_user_offload added by the compiler for alignment.
Add an explicit memset(0) before filling the buffer to avoid the heap
info leak.

Cc: Steffen Klassert <steffen.klassert@secunet.com>
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
net/xfrm/xfrm_user.c

index 2be4c6af008a7917ae5cc1e3306c5466cae387e4..3259555ae7d708506a3d2a2d6d8e57b19df8d7e7 100644 (file)
@@ -796,7 +796,7 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
                return -EMSGSIZE;
 
        xuo = nla_data(attr);
-
+       memset(xuo, 0, sizeof(*xuo));
        xuo->ifindex = xso->dev->ifindex;
        xuo->flags = xso->flags;