ipv6,gre: do not leak info to user-space

There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller <davem@davemloft.net> Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Amerigo Wang <amwang@redhat.com> 2013-05-09 17:56:37 -0400
committer: David S. Miller <davem@davemloft.net> 2013-05-11 20:40:14 -0400
commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f (patch)
tree: efdc2ea5315d01fa10b2a7404e1562af9ab4dd57 /net/ipv6/ip6_gre.c
parent: d34710e3e30fee26f4b0617b5458aa1c48236bb0 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index d3ddd8400354..ecd60733e5e2 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1081,6 +1081,7 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev,
                }
                if (t == NULL)
                        t = netdev_priv(dev);
+                memset(&p, 0, sizeof(p));
                ip6gre_tnl_parm_to_user(&p, &t->parms);
                if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
                        err = -EFAULT;
@@ -1128,6 +1129,7 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev,
                if (t) {
                        err = 0;
+                        memset(&p, 0, sizeof(p));
                        ip6gre_tnl_parm_to_user(&p, &t->parms);
                        if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
                                err = -EFAULT;
author	Amerigo Wang <amwang@redhat.com>	2013-05-09 17:56:37 -0400
committer	David S. Miller <davem@davemloft.net>	2013-05-11 20:40:14 -0400
commit	5dbd5068430b8bd1c19387d46d6c1a88b261257f (patch)
tree	efdc2ea5315d01fa10b2a7404e1562af9ab4dd57 /net/ipv6/ip6_gre.c
parent	d34710e3e30fee26f4b0617b5458aa1c48236bb0 (diff)