diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2009-10-24 09:55:20 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-10-24 09:55:20 -0400 |
commit | 66ed1e5ec1d979e572554643063734a7664261bb (patch) | |
tree | ebe8b3f132b4191d1f1c663e75f93e778db0cd6c /net/core | |
parent | 62e20a624b18e135870ae781087bc63fdda829ba (diff) |
pktgen: Dont leak kernel memory
While playing with pktgen, I realized IP ID was not filled and a
random value was taken, possibly leaking 2 bytes of kernel memory.
We can use an increasing ID, this can help diagnostics anyway.
Also clear packet payload, instead of leaking kernel memory.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
-rw-r--r-- | net/core/pktgen.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 86acdba0a97d..6eb8d47cbf3a 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c | |||
@@ -335,6 +335,7 @@ struct pktgen_dev { | |||
335 | __u32 cur_src_mac_offset; | 335 | __u32 cur_src_mac_offset; |
336 | __be32 cur_saddr; | 336 | __be32 cur_saddr; |
337 | __be32 cur_daddr; | 337 | __be32 cur_daddr; |
338 | __u16 ip_id; | ||
338 | __u16 cur_udp_dst; | 339 | __u16 cur_udp_dst; |
339 | __u16 cur_udp_src; | 340 | __u16 cur_udp_src; |
340 | __u16 cur_queue_map; | 341 | __u16 cur_queue_map; |
@@ -2630,6 +2631,8 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev, | |||
2630 | iph->protocol = IPPROTO_UDP; /* UDP */ | 2631 | iph->protocol = IPPROTO_UDP; /* UDP */ |
2631 | iph->saddr = pkt_dev->cur_saddr; | 2632 | iph->saddr = pkt_dev->cur_saddr; |
2632 | iph->daddr = pkt_dev->cur_daddr; | 2633 | iph->daddr = pkt_dev->cur_daddr; |
2634 | iph->id = htons(pkt_dev->ip_id); | ||
2635 | pkt_dev->ip_id++; | ||
2633 | iph->frag_off = 0; | 2636 | iph->frag_off = 0; |
2634 | iplen = 20 + 8 + datalen; | 2637 | iplen = 20 + 8 + datalen; |
2635 | iph->tot_len = htons(iplen); | 2638 | iph->tot_len = htons(iplen); |
@@ -2641,24 +2644,26 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev, | |||
2641 | skb->dev = odev; | 2644 | skb->dev = odev; |
2642 | skb->pkt_type = PACKET_HOST; | 2645 | skb->pkt_type = PACKET_HOST; |
2643 | 2646 | ||
2644 | if (pkt_dev->nfrags <= 0) | 2647 | if (pkt_dev->nfrags <= 0) { |
2645 | pgh = (struct pktgen_hdr *)skb_put(skb, datalen); | 2648 | pgh = (struct pktgen_hdr *)skb_put(skb, datalen); |
2646 | else { | 2649 | memset(pgh + 1, 0, datalen - sizeof(struct pktgen_hdr)); |
2650 | } else { | ||
2647 | int frags = pkt_dev->nfrags; | 2651 | int frags = pkt_dev->nfrags; |
2648 | int i; | 2652 | int i, len; |
2649 | 2653 | ||
2650 | pgh = (struct pktgen_hdr *)(((char *)(udph)) + 8); | 2654 | pgh = (struct pktgen_hdr *)(((char *)(udph)) + 8); |
2651 | 2655 | ||
2652 | if (frags > MAX_SKB_FRAGS) | 2656 | if (frags > MAX_SKB_FRAGS) |
2653 | frags = MAX_SKB_FRAGS; | 2657 | frags = MAX_SKB_FRAGS; |
2654 | if (datalen > frags * PAGE_SIZE) { | 2658 | if (datalen > frags * PAGE_SIZE) { |
2655 | skb_put(skb, datalen - frags * PAGE_SIZE); | 2659 | len = datalen - frags * PAGE_SIZE; |
2660 | memset(skb_put(skb, len), 0, len); | ||
2656 | datalen = frags * PAGE_SIZE; | 2661 | datalen = frags * PAGE_SIZE; |
2657 | } | 2662 | } |
2658 | 2663 | ||
2659 | i = 0; | 2664 | i = 0; |
2660 | while (datalen > 0) { | 2665 | while (datalen > 0) { |
2661 | struct page *page = alloc_pages(GFP_KERNEL, 0); | 2666 | struct page *page = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0); |
2662 | skb_shinfo(skb)->frags[i].page = page; | 2667 | skb_shinfo(skb)->frags[i].page = page; |
2663 | skb_shinfo(skb)->frags[i].page_offset = 0; | 2668 | skb_shinfo(skb)->frags[i].page_offset = 0; |
2664 | skb_shinfo(skb)->frags[i].size = | 2669 | skb_shinfo(skb)->frags[i].size = |