Commit c085c499 authored by Mathias Krause's avatar Mathias Krause Committed by David S. Miller

bridge: fix mdb info leaks

The bridging code discloses heap and stack bytes via the RTM_GETMDB
netlink interface and via the notify messages send to group RTNLGRP_MDB
afer a successful add/del.

Fix both cases by initializing all unset members/padding bytes with
memset(0).

Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 84421b99
...@@ -80,6 +80,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb, ...@@ -80,6 +80,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb,
port = p->port; port = p->port;
if (port) { if (port) {
struct br_mdb_entry e; struct br_mdb_entry e;
memset(&e, 0, sizeof(e));
e.ifindex = port->dev->ifindex; e.ifindex = port->dev->ifindex;
e.state = p->state; e.state = p->state;
if (p->addr.proto == htons(ETH_P_IP)) if (p->addr.proto == htons(ETH_P_IP))
...@@ -136,6 +137,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -136,6 +137,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
break; break;
bpm = nlmsg_data(nlh); bpm = nlmsg_data(nlh);
memset(bpm, 0, sizeof(*bpm));
bpm->ifindex = dev->ifindex; bpm->ifindex = dev->ifindex;
if (br_mdb_fill_info(skb, cb, dev) < 0) if (br_mdb_fill_info(skb, cb, dev) < 0)
goto out; goto out;
...@@ -171,6 +173,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb, ...@@ -171,6 +173,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb,
return -EMSGSIZE; return -EMSGSIZE;
bpm = nlmsg_data(nlh); bpm = nlmsg_data(nlh);
memset(bpm, 0, sizeof(*bpm));
bpm->family = AF_BRIDGE; bpm->family = AF_BRIDGE;
bpm->ifindex = dev->ifindex; bpm->ifindex = dev->ifindex;
nest = nla_nest_start(skb, MDBA_MDB); nest = nla_nest_start(skb, MDBA_MDB);
...@@ -228,6 +231,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port, ...@@ -228,6 +231,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port,
{ {
struct br_mdb_entry entry; struct br_mdb_entry entry;
memset(&entry, 0, sizeof(entry));
entry.ifindex = port->dev->ifindex; entry.ifindex = port->dev->ifindex;
entry.addr.proto = group->proto; entry.addr.proto = group->proto;
entry.addr.u.ip4 = group->u.ip4; entry.addr.u.ip4 = group->u.ip4;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment