aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorKees Cook <kees.cook@canonical.com>2010-10-07 06:03:48 -0400
committerDavid S. Miller <davem@davemloft.net>2010-10-08 13:48:28 -0400
commitae6df5f96a51818d6376da5307d773baeece4014 (patch)
treee696e82cc5a4df37f0d2d3fa25045a79646a0cce /net
parent94b105723a3bfca45c75916423cd959ce71ed215 (diff)
net: clear heap allocation for ETHTOOL_GRXCLSRLALL
Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel heap without clearing it. For the one driver (niu) that implements it, it will leave the unused portion of heap unchanged and copy the full contents back to userspace. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/core/ethtool.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 7a85367b3c2f..4016ac6bdd5e 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
348 if (info.cmd == ETHTOOL_GRXCLSRLALL) { 348 if (info.cmd == ETHTOOL_GRXCLSRLALL) {
349 if (info.rule_cnt > 0) { 349 if (info.rule_cnt > 0) {
350 if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) 350 if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
351 rule_buf = kmalloc(info.rule_cnt * sizeof(u32), 351 rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
352 GFP_USER); 352 GFP_USER);
353 if (!rule_buf) 353 if (!rule_buf)
354 return -ENOMEM; 354 return -ENOMEM;