Commit 71a98248 authored by Yasuaki Torimaru's avatar Yasuaki Torimaru Committed by Steffen Klassert
Browse files

xfrm: clear trailing padding in build_polexpire() 



build_expire() clears the trailing padding bytes of struct
xfrm_user_expire after setting the hard field via memset_after(),
but the analogous function build_polexpire() does not do this for
struct xfrm_user_polexpire.

The padding bytes after the __u8 hard field are left
uninitialized from the heap allocation, and are then sent to
userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,
leaking kernel heap memory contents.

Add the missing memset_after() call, matching build_expire().

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarYasuaki Torimaru <yasuakitorimaru@gmail.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Reviewed-by: default avatarBreno Leitao <leitao@debian.org>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent c4ea7d89

net/xfrm/xfrm_user.c

+2 −0
Original line number Diff line number Diff line
@@ -3960,6 +3960,8 @@ static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 
		return err;

	}

	upe->hard = !!hard;

	/* clear the padding bytes */

	memset_after(upe, 0, hard);



	nlmsg_end(skb, nlh);

	return 0;