net/tun: fix ioctl() based info leaks

[ Upstream commits a117dacd and 8bbb1813 ] The tun module leaks up to 36 bytes of memory by not fully initializing a structure located on the stack that gets copied to user memory by the TUNGETIFF and SIOCGIFHWADDR ioctl()s. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu>

net/tun: fix ioctl() based info leaks
[ Upstream commits a117dacd and 8bbb1813 ] The tun module leaks up to 36 bytes of memory by not fully initializing a structure located on the stack that gets copied to user memory by the TUNGETIFF and SIOCGIFHWADDR ioctl()s. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu>
bf9f4ca1 · Mathias Krause · Willy Tarreau · fdd6b652 · bf9f4ca1
Commit bf9f4ca1 authored Jul 29, 2012 by Mathias Krause Committed by Willy Tarreau Oct 07, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

drivers/net/tun.c drivers/net/tun.c +4 -2

No files found.
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1121,10 +1121,12 @@ static long tun_chr_ioctl(struct file *file, unsigned int cmd,
 	int sndbuf;
 	int ret;

-	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
+	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
 		if (copy_from_user(&ifr, argp, sizeof ifr))
 			return -EFAULT;
-
+	} else {
+		memset(&ifr, 0, sizeof(ifr));
+	}
 	if (cmd == TUNGETFEATURES) {
 		/* Currently this just means: "what IFF flags are valid?".
 		 * This is needed because we never checked for invalid flags on