net/rds: Fix info leak in rds6_inc_info_copy()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The rds6_inc_info_copy() function has a couple struct members which
are leaking stack information. The ->tos field should hold actual
information and the ->flags field needs to be zeroed out.

Fixes: 3eb450367d08 ("rds: add type of service(tos) infrastructure")
Fixes: b7ff8b1036f0 ("rds: Extend RDS API for IPv6 support")
Reported-by: 黄ID蝴蝶 <butterflyhuangxx@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Ka-Cheong Poon and committed by

David S. Miller 6 years ago 7d0a0658 2c1644cf

+4 -1

1 changed file

expand all

net

rds

recv.c

+4 -1

net/rds/recv.c

··· 1 1 /* 2 - * Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved. 2 + * Copyright (c) 2006, 2019 Oracle and/or its affiliates. All rights reserved. 3 3 * 4 4 * This software is available to you under a choice of one of two 5 5 * licenses. You may choose to be licensed under the terms of the GNU ··· 811 811 812 812 minfo6.seq = be64_to_cpu(inc->i_hdr.h_sequence); 813 813 minfo6.len = be32_to_cpu(inc->i_hdr.h_len); 814 + minfo6.tos = inc->i_conn->c_tos; 814 815 815 816 if (flip) { 816 817 minfo6.laddr = *daddr; ··· 824 823 minfo6.lport = inc->i_hdr.h_sport; 825 824 minfo6.fport = inc->i_hdr.h_dport; 826 825 } 826 + 827 + minfo6.flags = 0; 827 828 828 829 rds_info_copy(iter, &minfo6, sizeof(minfo6)); 829 830 }