xfrm_user: fix info leak in copy_user_offload() The memory reserved to dump the xfrm offload state includes padding bytes of struct xfrm_user_offload added by the compiler for alignment. Add an explicit memset(0) before filling the buffer to avoid the heap info leak. Cc: Steffen Klassert <steffen.klassert@secunet.com> Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

commit: 5fe0d4bd8f86d19f7f24c1ae5a9b6e6a5a52e51a [log] [tgz]
author: Mathias Krause <minipli@googlemail.com> Sat Aug 26 17:08:57 2017 +0200
committer: Steffen Klassert <steffen.klassert@secunet.com> Mon Aug 28 10:58:02 2017 +0200
tree: a09063c857fe5f1ad3fb5f2e6cdf7f64f6f6df95
parent: 54ffd790792898f05e215dce5aa593473e80e92f [diff] [blame]
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2be4c6a..3259555 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c

@@ -796,7 +796,7 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
 		return -EMSGSIZE;
 
 	xuo = nla_data(attr);
-
+	memset(xuo, 0, sizeof(*xuo));
 	xuo->ifindex = xso->dev->ifindex;
 	xuo->flags = xso->flags;
commit	5fe0d4bd8f86d19f7f24c1ae5a9b6e6a5a52e51a	[log] [tgz]
author	Mathias Krause <minipli@googlemail.com>	Sat Aug 26 17:08:57 2017 +0200
committer	Steffen Klassert <steffen.klassert@secunet.com>	Mon Aug 28 10:58:02 2017 +0200
tree	a09063c857fe5f1ad3fb5f2e6cdf7f64f6f6df95
parent	54ffd790792898f05e215dce5aa593473e80e92f [diff] [blame]