net: clear heap allocation for ETHTOOL_GRXCLSRLALL
authorKees Cook <kees.cook@canonical.com>
Thu, 7 Oct 2010 10:03:48 +0000 (10:03 +0000)
committerDavid S. Miller <davem@davemloft.net>
Fri, 8 Oct 2010 17:48:28 +0000 (10:48 -0700)
Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
heap without clearing it. For the one driver (niu) that implements it,
it will leave the unused portion of heap unchanged and copy the full
contents back to userspace.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/ethtool.c

index 7a85367b3c2f8010af24bbd6b6f4249698f9d78d..4016ac6bdd5eb9c910192aab7cc3235835296c4f 100644 (file)
@@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
        if (info.cmd == ETHTOOL_GRXCLSRLALL) {
                if (info.rule_cnt > 0) {
                        if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
-                               rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
+                               rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
                                                   GFP_USER);
                        if (!rule_buf)
                                return -ENOMEM;