aboutsummaryrefslogtreecommitdiffstats
path: root/net/core
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2009-10-24 09:55:20 -0400
committerDavid S. Miller <davem@davemloft.net>2009-10-24 09:55:20 -0400
commit66ed1e5ec1d979e572554643063734a7664261bb (patch)
treeebe8b3f132b4191d1f1c663e75f93e778db0cd6c /net/core
parent62e20a624b18e135870ae781087bc63fdda829ba (diff)
pktgen: Dont leak kernel memory
While playing with pktgen, I realized IP ID was not filled and a random value was taken, possibly leaking 2 bytes of kernel memory. We can use an increasing ID, this can help diagnostics anyway. Also clear packet payload, instead of leaking kernel memory. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
-rw-r--r--net/core/pktgen.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 86acdba0a97d..6eb8d47cbf3a 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -335,6 +335,7 @@ struct pktgen_dev {
335 __u32 cur_src_mac_offset; 335 __u32 cur_src_mac_offset;
336 __be32 cur_saddr; 336 __be32 cur_saddr;
337 __be32 cur_daddr; 337 __be32 cur_daddr;
338 __u16 ip_id;
338 __u16 cur_udp_dst; 339 __u16 cur_udp_dst;
339 __u16 cur_udp_src; 340 __u16 cur_udp_src;
340 __u16 cur_queue_map; 341 __u16 cur_queue_map;
@@ -2630,6 +2631,8 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
2630 iph->protocol = IPPROTO_UDP; /* UDP */ 2631 iph->protocol = IPPROTO_UDP; /* UDP */
2631 iph->saddr = pkt_dev->cur_saddr; 2632 iph->saddr = pkt_dev->cur_saddr;
2632 iph->daddr = pkt_dev->cur_daddr; 2633 iph->daddr = pkt_dev->cur_daddr;
2634 iph->id = htons(pkt_dev->ip_id);
2635 pkt_dev->ip_id++;
2633 iph->frag_off = 0; 2636 iph->frag_off = 0;
2634 iplen = 20 + 8 + datalen; 2637 iplen = 20 + 8 + datalen;
2635 iph->tot_len = htons(iplen); 2638 iph->tot_len = htons(iplen);
@@ -2641,24 +2644,26 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
2641 skb->dev = odev; 2644 skb->dev = odev;
2642 skb->pkt_type = PACKET_HOST; 2645 skb->pkt_type = PACKET_HOST;
2643 2646
2644 if (pkt_dev->nfrags <= 0) 2647 if (pkt_dev->nfrags <= 0) {
2645 pgh = (struct pktgen_hdr *)skb_put(skb, datalen); 2648 pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
2646 else { 2649 memset(pgh + 1, 0, datalen - sizeof(struct pktgen_hdr));
2650 } else {
2647 int frags = pkt_dev->nfrags; 2651 int frags = pkt_dev->nfrags;
2648 int i; 2652 int i, len;
2649 2653
2650 pgh = (struct pktgen_hdr *)(((char *)(udph)) + 8); 2654 pgh = (struct pktgen_hdr *)(((char *)(udph)) + 8);
2651 2655
2652 if (frags > MAX_SKB_FRAGS) 2656 if (frags > MAX_SKB_FRAGS)
2653 frags = MAX_SKB_FRAGS; 2657 frags = MAX_SKB_FRAGS;
2654 if (datalen > frags * PAGE_SIZE) { 2658 if (datalen > frags * PAGE_SIZE) {
2655 skb_put(skb, datalen - frags * PAGE_SIZE); 2659 len = datalen - frags * PAGE_SIZE;
2660 memset(skb_put(skb, len), 0, len);
2656 datalen = frags * PAGE_SIZE; 2661 datalen = frags * PAGE_SIZE;
2657 } 2662 }
2658 2663
2659 i = 0; 2664 i = 0;
2660 while (datalen > 0) { 2665 while (datalen > 0) {
2661 struct page *page = alloc_pages(GFP_KERNEL, 0); 2666 struct page *page = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
2662 skb_shinfo(skb)->frags[i].page = page; 2667 skb_shinfo(skb)->frags[i].page = page;
2663 skb_shinfo(skb)->frags[i].page_offset = 0; 2668 skb_shinfo(skb)->frags[i].page_offset = 0;
2664 skb_shinfo(skb)->frags[i].size = 2669 skb_shinfo(skb)->frags[i].size =