| Message ID | 1343627114-17899-1-git-send-email-minipli@googlemail.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Mathias Krause <minipli@googlemail.com> Date: Mon, 30 Jul 2012 07:45:14 +0200 > The tun module leaks up to 36 bytes of memory by not fully initializing > a structure located on the stack that gets copied to user memory by the > TUNGETIFF and SIOCGIFHWADDR ioctl()s. > > Signed-off-by: Mathias Krause <minipli@googlemail.com> Applied and queued up for -stable, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, 2012-07-30 at 07:45 +0200, Mathias Krause wrote: > The tun module leaks up to 36 bytes of memory by not fully initializing > a structure located on the stack that gets copied to user memory by the > TUNGETIFF and SIOCGIFHWADDR ioctl()s. > > Signed-off-by: Mathias Krause <minipli@googlemail.com> > --- > v2: > - removed braces around else branch > - minor adjustment of the commit message > > drivers/net/tun.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index 987aeef..01255ff 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -1252,9 +1252,11 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, > int vnet_hdr_sz; > int ret; > > - if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) > + if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { > if (copy_from_user(&ifr, argp, ifreq_len)) > return -EFAULT; > + } else > + memset(&ifr, 0, sizeof(ifr)); > > if (cmd == TUNGETFEATURES) { > /* Currently this just means: "what IFF flags are valid?". Actually braces were better vi +169 Documentation/CodingStyle This does not apply if only one branch of a conditional statement is a single statement; in the latter case use braces in both branches: if (condition) { do_this(); do_that(); } else { otherwise(); } -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Mon, 30 Jul 2012 08:22:20 +0200 > On Mon, 2012-07-30 at 07:45 +0200, Mathias Krause wrote: >> The tun module leaks up to 36 bytes of memory by not fully initializing >> a structure located on the stack that gets copied to user memory by the >> TUNGETIFF and SIOCGIFHWADDR ioctl()s. >> >> Signed-off-by: Mathias Krause <minipli@googlemail.com> >> --- >> v2: >> - removed braces around else branch >> - minor adjustment of the commit message >> >> drivers/net/tun.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/net/tun.c b/drivers/net/tun.c >> index 987aeef..01255ff 100644 >> --- a/drivers/net/tun.c >> +++ b/drivers/net/tun.c >> @@ -1252,9 +1252,11 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, >> int vnet_hdr_sz; >> int ret; >> >> - if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) >> + if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { >> if (copy_from_user(&ifr, argp, ifreq_len)) >> return -EFAULT; >> + } else >> + memset(&ifr, 0, sizeof(ifr)); >> >> if (cmd == TUNGETFEATURES) { >> /* Currently this just means: "what IFF flags are valid?". > > > Actually braces were better > > vi +169 Documentation/CodingStyle > > This does not apply if only one branch of a conditional statement is a > single > statement; in the latter case use braces in both branches: > > if (condition) { > do_this(); > do_that(); > } else { > otherwise(); > } Ok I'll fix this up myself. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 987aeef..01255ff 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1252,9 +1252,11 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; - if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) + if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { if (copy_from_user(&ifr, argp, ifreq_len)) return -EFAULT; + } else + memset(&ifr, 0, sizeof(ifr)); if (cmd == TUNGETFEATURES) { /* Currently this just means: "what IFF flags are valid?".
The tun module leaks up to 36 bytes of memory by not fully initializing a structure located on the stack that gets copied to user memory by the TUNGETIFF and SIOCGIFHWADDR ioctl()s. Signed-off-by: Mathias Krause <minipli@googlemail.com> --- v2: - removed braces around else branch - minor adjustment of the commit message drivers/net/tun.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)