[PATCH] drivers/net/usb/hso.c: prevent reading uninitialized memory

[PATCH] drivers/net/usb/hso.c: prevent reading uninitialized memory

[Dan Rosenberg]

The TIOCGICOUNT device ioctl allows unprivileged users to read 9 bytes
of uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack in hso_get_count()
is not altered or zeroed before being copied back to the user.  This
patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>

--- linux-2.6.35.4.orig/drivers/net/usb/hso.c	2010-09-11
19:12:00.000000000 -0400
+++ linux-2.6.35.4/drivers/net/usb/hso.c	2010-09-11 19:15:23.000000000 -0400
@@ -1653,6 +1653,8 @@ static int hso_get_count(struct hso_seri
 	struct uart_icount cnow;
 	struct hso_tiocmget  *tiocmget = serial->tiocmget;

+	memset(&icount, 0, sizeof(struct serial_icounter_struct));
+
 	if (!tiocmget)
 		 return -ENOENT;
 	spin_lock_irq(&serial->serial_lock);

Re: [PATCH] drivers/net/usb/hso.c: prevent reading uninitialized memory

[David Miller]

From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Date: Sat, 11 Sep 2010 19:46:35 -0400

> --- linux-2.6.35.4.orig/drivers/net/usb/hso.c	2010-09-11
> 19:12:00.000000000 -0400
> +++ linux-2.6.35.4/drivers/net/usb/hso.c	2010-09-11 19:15:23.000000000 -0400
> @@ -1653,6 +1653,8 @@ static int hso_get_count(struct hso_seri

All of your patches were corrupted by your email client, long lines were
broken up, and tabs were converted into spaces.

This makes your patches unusable.

Also, all networking patches should be submitted with netdev@vger.kernel.org
in the CC: list.

Please correct these issues and resubmit your patches, thank you.