Message ID | 1465831235-29876-1-git-send-email-ncardwell@google.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On 06/13/2016 05:20 PM, Neal Cardwell wrote: > Make sure that dctcp_get_info() returns only the size of the > info->dctcp struct that it zeroes out and fills in. Previously it had > been returning the size of the enclosing tcp_cc_info union, > sizeof(*info). There is no problem yet, but that union that may one > day be larger than struct tcp_dctcp_info, in which case the > TCP_CC_INFO code might accidentally copy uninitialized bytes from the > stack. > > Signed-off-by: Neal Cardwell <ncardwell@google.com> > Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com> > Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
From: Neal Cardwell <ncardwell@google.com> Date: Mon, 13 Jun 2016 11:20:35 -0400 > Make sure that dctcp_get_info() returns only the size of the > info->dctcp struct that it zeroes out and fills in. Previously it had > been returning the size of the enclosing tcp_cc_info union, > sizeof(*info). There is no problem yet, but that union that may one > day be larger than struct tcp_dctcp_info, in which case the > TCP_CC_INFO code might accidentally copy uninitialized bytes from the > stack. > > Signed-off-by: Neal Cardwell <ncardwell@google.com> > Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com> > Signed-off-by: Eric Dumazet <edumazet@google.com> Applied.
diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c index 7e538f7..10d728b 100644 --- a/net/ipv4/tcp_dctcp.c +++ b/net/ipv4/tcp_dctcp.c @@ -293,7 +293,7 @@ static size_t dctcp_get_info(struct sock *sk, u32 ext, int *attr, */ if (ext & (1 << (INET_DIAG_DCTCPINFO - 1)) || ext & (1 << (INET_DIAG_VEGASINFO - 1))) { - memset(info, 0, sizeof(struct tcp_dctcp_info)); + memset(&info->dctcp, 0, sizeof(info->dctcp)); if (inet_csk(sk)->icsk_ca_ops != &dctcp_reno) { info->dctcp.dctcp_enabled = 1; info->dctcp.dctcp_ce_state = (u16) ca->ce_state; @@ -303,7 +303,7 @@ static size_t dctcp_get_info(struct sock *sk, u32 ext, int *attr, } *attr = INET_DIAG_DCTCPINFO; - return sizeof(*info); + return sizeof(info->dctcp); } return 0; }