netfilter: conntrack: Use memset_startat() to zero struct nf_conn

In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Use memset_startat() to avoid confusing memset() about writing beyond the target struct member. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: conntrack: Use memset_startat() to zero struct nf_conn
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Use memset_startat() to avoid confusing memset() about writing beyond the target struct member. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
4be1dbb7 · Kees Cook · Pablo Neira Ayuso · fc5e0352 · 4be1dbb7
Commit 4be1dbb7 authored Nov 18, 2021 by Kees Cook Committed by Pablo Neira Ayuso Nov 30, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 3 deletions

net/netfilter/nf_conntrack_core.c net/netfilter/nf_conntrack_core.c +1 -3

No files found.
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1562,9 +1562,7 @@ __nf_conntrack_alloc(struct net *net,
 	ct->status = 0;
 	ct->timeout = 0;
 	write_pnet(&ct->ct_net, net);
-	memset(&ct->__nfct_init_offset, 0,
-	       offsetof(struct nf_conn, proto) -
-	       offsetof(struct nf_conn, __nfct_init_offset));
+	memset_after(ct, 0, __nfct_init_offset);

 	nf_ct_zone_add(ct, zone);