* [PATCH] net sched: fix kernel leak in act_police
@ 2010-08-31 23:21 Jeff Mahoney
2010-08-31 23:24 ` Jeff Mahoney
2010-09-01 21:29 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Jeff Mahoney @ 2010-08-31 23:21 UTC (permalink / raw)
To: David S. Miller; +Cc: Eric Dumazet, Network Development
While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
audited other users of tc_action_ops->dump for information leaks.
That commit covered almost all of them but act_police still had a leak.
opt.limit and opt.capab aren't zeroed out before the structure is
passed out.
This patch uses the C99 initializers to zero everything unused out.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
---
net/sched/act_police.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -350,22 +350,19 @@ tcf_act_police_dump(struct sk_buff *skb,
{
unsigned char *b = skb_tail_pointer(skb);
struct tcf_police *police = a->priv;
- struct tc_police opt;
+ struct tc_police opt = {
+ .index = police->tcf_index,
+ .action = police->tcf_action,
+ .mtu = police->tcfp_mtu,
+ .burst = police->tcfp_burst,
+ .refcnt = police->tcf_refcnt - ref,
+ .bindcnt = police->tcf_bindcnt - bind,
+ };
- opt.index = police->tcf_index;
- opt.action = police->tcf_action;
- opt.mtu = police->tcfp_mtu;
- opt.burst = police->tcfp_burst;
- opt.refcnt = police->tcf_refcnt - ref;
- opt.bindcnt = police->tcf_bindcnt - bind;
if (police->tcfp_R_tab)
opt.rate = police->tcfp_R_tab->rate;
- else
- memset(&opt.rate, 0, sizeof(opt.rate));
if (police->tcfp_P_tab)
opt.peakrate = police->tcfp_P_tab->rate;
- else
- memset(&opt.peakrate, 0, sizeof(opt.peakrate));
NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
if (police->tcfp_result)
NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);
--
Jeff Mahoney
SUSE Labs
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] net sched: fix kernel leak in act_police
2010-08-31 23:21 [PATCH] net sched: fix kernel leak in act_police Jeff Mahoney
@ 2010-08-31 23:24 ` Jeff Mahoney
2010-09-01 21:29 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: Jeff Mahoney @ 2010-08-31 23:24 UTC (permalink / raw)
To: David S. Miller; +Cc: Eric Dumazet, Network Development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/31/2010 07:21 PM, Jeff Mahoney wrote:
> While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
> audited other users of tc_action_ops->dump for information leaks.
>
> That commit covered almost all of them but act_police still had a leak.
>
> opt.limit and opt.capab aren't zeroed out before the structure is
> passed out.
>
> This patch uses the C99 initializers to zero everything unused out.
>
> Signed-off-by: Jeff Mahoney <jeffm@suse.com>
> Acked-by: Jeff Mahoney <jeffm@suse.com>
Oops. Sorry about the Acked-by. I have a script that I use to rename
patches for inclusion in our trees and it tacks that on. This patch was
just pulled out of our master branch.
- -Jeff
> ---
> net/sched/act_police.c | 19 ++++++++-----------
> 1 file changed, 8 insertions(+), 11 deletions(-)
>
> --- a/net/sched/act_police.c
> +++ b/net/sched/act_police.c
> @@ -350,22 +350,19 @@ tcf_act_police_dump(struct sk_buff *skb,
> {
> unsigned char *b = skb_tail_pointer(skb);
> struct tcf_police *police = a->priv;
> - struct tc_police opt;
> + struct tc_police opt = {
> + .index = police->tcf_index,
> + .action = police->tcf_action,
> + .mtu = police->tcfp_mtu,
> + .burst = police->tcfp_burst,
> + .refcnt = police->tcf_refcnt - ref,
> + .bindcnt = police->tcf_bindcnt - bind,
> + };
>
> - opt.index = police->tcf_index;
> - opt.action = police->tcf_action;
> - opt.mtu = police->tcfp_mtu;
> - opt.burst = police->tcfp_burst;
> - opt.refcnt = police->tcf_refcnt - ref;
> - opt.bindcnt = police->tcf_bindcnt - bind;
> if (police->tcfp_R_tab)
> opt.rate = police->tcfp_R_tab->rate;
> - else
> - memset(&opt.rate, 0, sizeof(opt.rate));
> if (police->tcfp_P_tab)
> opt.peakrate = police->tcfp_P_tab->rate;
> - else
> - memset(&opt.peakrate, 0, sizeof(opt.peakrate));
> NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
> if (police->tcfp_result)
> NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);
- --
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkx9jxoACgkQLPWxlyuTD7JckgCeLVlJwnVM/cIgIQlB3iNKcVU5
misAnRfgTTmi/pGqyb1xFVoysQSTABal
=S9mH
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] net sched: fix kernel leak in act_police
2010-08-31 23:21 [PATCH] net sched: fix kernel leak in act_police Jeff Mahoney
2010-08-31 23:24 ` Jeff Mahoney
@ 2010-09-01 21:29 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2010-09-01 21:29 UTC (permalink / raw)
To: jeffm; +Cc: eric.dumazet, netdev
From: Jeff Mahoney <jeffm@suse.com>
Date: Tue, 31 Aug 2010 19:21:42 -0400
> While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
> audited other users of tc_action_ops->dump for information leaks.
>
> That commit covered almost all of them but act_police still had a leak.
>
> opt.limit and opt.capab aren't zeroed out before the structure is
> passed out.
>
> This patch uses the C99 initializers to zero everything unused out.
>
> Signed-off-by: Jeff Mahoney <jeffm@suse.com>
> Acked-by: Jeff Mahoney <jeffm@suse.com>
Applied.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-09-01 21:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-31 23:21 [PATCH] net sched: fix kernel leak in act_police Jeff Mahoney
2010-08-31 23:24 ` Jeff Mahoney
2010-09-01 21:29 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.