tcp: return sizeof tcp_dctcp_info in dctcp_get_info()
authorNeal Cardwell <ncardwell@google.com>
Mon, 13 Jun 2016 15:20:35 +0000 (11:20 -0400)
committerDavid S. Miller <davem@davemloft.net>
Wed, 15 Jun 2016 06:46:30 +0000 (23:46 -0700)
Make sure that dctcp_get_info() returns only the size of the
info->dctcp struct that it zeroes out and fills in. Previously it had
been returning the size of the enclosing tcp_cc_info union,
sizeof(*info).  There is no problem yet, but that union that may one
day be larger than struct tcp_dctcp_info, in which case the
TCP_CC_INFO code might accidentally copy uninitialized bytes from the
stack.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/tcp_dctcp.c

index 7e538f71f5fbae087c3e3e4367d60e08cd609ac5..10d728b6804c259e459cc81a82e5c961839cc578 100644 (file)
@@ -293,7 +293,7 @@ static size_t dctcp_get_info(struct sock *sk, u32 ext, int *attr,
         */
        if (ext & (1 << (INET_DIAG_DCTCPINFO - 1)) ||
            ext & (1 << (INET_DIAG_VEGASINFO - 1))) {
-               memset(info, 0, sizeof(struct tcp_dctcp_info));
+               memset(&info->dctcp, 0, sizeof(info->dctcp));
                if (inet_csk(sk)->icsk_ca_ops != &dctcp_reno) {
                        info->dctcp.dctcp_enabled = 1;
                        info->dctcp.dctcp_ce_state = (u16) ca->ce_state;
@@ -303,7 +303,7 @@ static size_t dctcp_get_info(struct sock *sk, u32 ext, int *attr,
                }
 
                *attr = INET_DIAG_DCTCPINFO;
-               return sizeof(*info);
+               return sizeof(info->dctcp);
        }
        return 0;
 }