[PATCH v2] net/tun: fix ioctl() based info leaks
From: Mathias Krause <hidden>
Date: 2012-07-30 05:46:02
Subsystem:
networking drivers, the rest, tun/tap driver · Maintainers:
Andrew Lunn, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds, Willem de Bruijn, Jason Wang
The tun module leaks up to 36 bytes of memory by not fully initializing a structure located on the stack that gets copied to user memory by the TUNGETIFF and SIOCGIFHWADDR ioctl()s. Signed-off-by: Mathias Krause <redacted> --- v2: - removed braces around else branch - minor adjustment of the commit message drivers/net/tun.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 987aeef..01255ff 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c@@ -1252,9 +1252,11 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int vnet_hdr_sz; int ret; - if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) + if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) { if (copy_from_user(&ifr, argp, ifreq_len)) return -EFAULT; + } else + memset(&ifr, 0, sizeof(ifr)); if (cmd == TUNGETFEATURES) { /* Currently this just means: "what IFF flags are valid?".
--
1.7.10.4