commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[NETLINK]: Missing initializations in dumped data

Mostly missing initialization of padding fields of 1 or 2 bytes length,
two instances of uninitialized nlmsgerr->msg of 16 bytes length.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Patrick McHardy and committed by David S. Miller 20 years ago 9ef1d4c7 b3563c4f

+32 -3

9 changed files

expand all

unified split

net

core

neighbour.c

rtnetlink.c

wireless.c

ipv4

ipmr.c

ipv6

addrconf.c

sched

act_api.c

cls_api.c

sch_api.c

sch_cbq.c

net/core/neighbour.c

··· 1598 1598 1599 1599 read_lock_bh(&tbl->lock); 1600 1600 ndtmsg->ndtm_family = tbl->family; 1601 + ndtmsg->ndtm_pad1 = 0; 1602 + ndtmsg->ndtm_pad2 = 0; 1601 1603 1602 1604 RTA_PUT_STRING(skb, NDTA_NAME, tbl->id); 1603 1605 RTA_PUT_MSECS(skb, NDTA_GC_INTERVAL, tbl->gc_interval); ··· 1685 1683 1686 1684 read_lock_bh(&tbl->lock); 1687 1685 ndtmsg->ndtm_family = tbl->family; 1686 + ndtmsg->ndtm_pad1 = 0; 1687 + ndtmsg->ndtm_pad2 = 0; 1688 1688 RTA_PUT_STRING(skb, NDTA_NAME, tbl->id); 1689 1689 1690 1690 if (neightbl_fill_parms(skb, parms) < 0) ··· 1876 1872 struct ndmsg *ndm = NLMSG_DATA(nlh); 1877 1873 1878 1874 ndm->ndm_family = n->ops->family; 1875 + ndm->ndm_pad1 = 0; 1876 + ndm->ndm_pad2 = 0; 1879 1877 ndm->ndm_flags = n->flags; 1880 1878 ndm->ndm_type = n->type; 1881 1879 ndm->ndm_ifindex = n->dev->ifindex;

net/core/rtnetlink.c

··· 189 189 nlh = NLMSG_NEW(skb, pid, seq, type, sizeof(*r), flags); 190 190 r = NLMSG_DATA(nlh); 191 191 r->ifi_family = AF_UNSPEC; 192 + r->__ifi_pad = 0; 192 193 r->ifi_type = dev->type; 193 194 r->ifi_index = dev->ifindex; 194 195 r->ifi_flags = dev_get_flags(dev);

net/core/wireless.c

··· 1102 1102 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(*r)); 1103 1103 r = NLMSG_DATA(nlh); 1104 1104 r->ifi_family = AF_UNSPEC; 1105 + r->__ifi_pad = 0; 1105 1106 r->ifi_type = dev->type; 1106 1107 r->ifi_index = dev->ifindex; 1107 1108 r->ifi_flags = dev->flags;

+8 -2

net/ipv4/ipmr.c

··· 297 297 static void ipmr_destroy_unres(struct mfc_cache *c) 298 298 { 299 299 struct sk_buff *skb; 300 + struct nlmsgerr *e; 300 301 301 302 atomic_dec(&cache_resolve_queue_len); 302 303 ··· 307 306 nlh->nlmsg_type = NLMSG_ERROR; 308 307 nlh->nlmsg_len = NLMSG_LENGTH(sizeof(struct nlmsgerr)); 309 308 skb_trim(skb, nlh->nlmsg_len); 310 - ((struct nlmsgerr*)NLMSG_DATA(nlh))->error = -ETIMEDOUT; 309 + e = NLMSG_DATA(nlh); 310 + e->error = -ETIMEDOUT; 311 + memset(&e->msg, 0, sizeof(e->msg)); 311 312 netlink_unicast(rtnl, skb, NETLINK_CB(skb).dst_pid, MSG_DONTWAIT); 312 313 } else 313 314 kfree_skb(skb); ··· 502 499 static void ipmr_cache_resolve(struct mfc_cache *uc, struct mfc_cache *c) 503 500 { 504 501 struct sk_buff *skb; 502 + struct nlmsgerr *e; 505 503 506 504 /* 507 505 * Play the pending entries through our router ··· 519 515 nlh->nlmsg_type = NLMSG_ERROR; 520 516 nlh->nlmsg_len = NLMSG_LENGTH(sizeof(struct nlmsgerr)); 521 517 skb_trim(skb, nlh->nlmsg_len); 522 - ((struct nlmsgerr*)NLMSG_DATA(nlh))->error = -EMSGSIZE; 518 + e = NLMSG_DATA(nlh); 519 + e->error = -EMSGSIZE; 520 + memset(&e->msg, 0, sizeof(e->msg)); 523 521 } 524 522 err = netlink_unicast(rtnl, skb, NETLINK_CB(skb).dst_pid, MSG_DONTWAIT); 525 523 } else

net/ipv6/addrconf.c

··· 2923 2923 nlh = NLMSG_NEW(skb, pid, seq, event, sizeof(*r), flags); 2924 2924 r = NLMSG_DATA(nlh); 2925 2925 r->ifi_family = AF_INET6; 2926 + r->__ifi_pad = 0; 2926 2927 r->ifi_type = dev->type; 2927 2928 r->ifi_index = dev->ifindex; 2928 2929 r->ifi_flags = dev_get_flags(dev);

+9 -1

net/sched/act_api.c

··· 439 439 440 440 t = NLMSG_DATA(nlh); 441 441 t->tca_family = AF_UNSPEC; 442 + t->tca__pad1 = 0; 443 + t->tca__pad2 = 0; 442 444 443 445 x = (struct rtattr*) skb->tail; 444 446 RTA_PUT(skb, TCA_ACT_TAB, 0, NULL); ··· 582 580 nlh = NLMSG_PUT(skb, pid, n->nlmsg_seq, RTM_DELACTION, sizeof(*t)); 583 581 t = NLMSG_DATA(nlh); 584 582 t->tca_family = AF_UNSPEC; 583 + t->tca__pad1 = 0; 584 + t->tca__pad2 = 0; 585 585 586 586 x = (struct rtattr *) skb->tail; 587 587 RTA_PUT(skb, TCA_ACT_TAB, 0, NULL); ··· 691 687 nlh = NLMSG_NEW(skb, pid, seq, event, sizeof(*t), flags); 692 688 t = NLMSG_DATA(nlh); 693 689 t->tca_family = AF_UNSPEC; 694 - 690 + t->tca__pad1 = 0; 691 + t->tca__pad2 = 0; 692 + 695 693 x = (struct rtattr*) skb->tail; 696 694 RTA_PUT(skb, TCA_ACT_TAB, 0, NULL); 697 695 ··· 848 842 cb->nlh->nlmsg_type, sizeof(*t)); 849 843 t = NLMSG_DATA(nlh); 850 844 t->tca_family = AF_UNSPEC; 845 + t->tca__pad1 = 0; 846 + t->tca__pad2 = 0; 851 847 852 848 x = (struct rtattr *) skb->tail; 853 849 RTA_PUT(skb, TCA_ACT_TAB, 0, NULL);

net/sched/cls_api.c

··· 331 331 nlh = NLMSG_NEW(skb, pid, seq, event, sizeof(*tcm), flags); 332 332 tcm = NLMSG_DATA(nlh); 333 333 tcm->tcm_family = AF_UNSPEC; 334 + tcm->tcm__pad1 = 0; 335 + tcm->tcm__pad1 = 0; 334 336 tcm->tcm_ifindex = tp->q->dev->ifindex; 335 337 tcm->tcm_parent = tp->classid; 336 338 tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);

net/sched/sch_api.c

··· 770 770 nlh = NLMSG_NEW(skb, pid, seq, event, sizeof(*tcm), flags); 771 771 tcm = NLMSG_DATA(nlh); 772 772 tcm->tcm_family = AF_UNSPEC; 773 + tcm->tcm__pad1 = 0; 774 + tcm->tcm__pad2 = 0; 773 775 tcm->tcm_ifindex = q->dev->ifindex; 774 776 tcm->tcm_parent = clid; 775 777 tcm->tcm_handle = q->handle;

net/sched/sch_cbq.c

··· 1563 1563 1564 1564 if (cl->police) { 1565 1565 opt.police = cl->police; 1566 + opt.__res1 = 0; 1567 + opt.__res2 = 0; 1566 1568 RTA_PUT(skb, TCA_CBQ_POLICE, sizeof(opt), &opt); 1567 1569 } 1568 1570 return skb->len;