xfrm_user: fix info leak in build_expire()
The memory reserved to dump the expired xfrm state includes padding bytes in struct xfrm_user_expire added by the compiler for alignment. To prevent the heap info leak, memset(0) the remainder of the struct. Initializing the whole structure isn't needed as copy_to_user_state() already takes care of clearing the padding bytes within the 'state' member. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
parent
50329c8a34
commit
e3e5fc1698
|
@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct
|
|||
ue = nlmsg_data(nlh);
|
||||
copy_to_user_state(x, &ue->state);
|
||||
ue->hard = (c->data.hard != 0) ? 1 : 0;
|
||||
/* clear the padding bytes */
|
||||
memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));
|
||||
|
||||
err = xfrm_mark_put(skb, &x->mark);
|
||||
if (err)
|
||||
|
|
Loading…
Reference in New Issue