Skip to content

Commit

Permalink
Bluetooth: Fix leak of uninitialized data to userspace
Browse files Browse the repository at this point in the history 
    struct hci_dev_list_req {
            __u16  dev_num;
            struct hci_dev_req dev_req[0];  /* hci_dev_req structures */
    };

sizeof(struct hci_dev_list_req) == 4, so the two bytes immediately
following "dev_num" will never be initialized. When this structure
is copied to userspace, these uninitialized bytes are leaked.

Fix by using kzalloc() instead of kmalloc(). Found using kmemcheck.

Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
  • Loading branch information
Vegard Nossum authored and Marcel Holtmann committed Nov 30, 2008
1 parent 7644d63 commit c6bf514
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/bluetooth/hci_core.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -756,7 +756,7 @@ int hci_get_dev_list(void __user *arg)

size = sizeof(*dl) + dev_num * sizeof(*dr);

if (!(dl = kmalloc(size, GFP_KERNEL)))
if (!(dl = kzalloc(size, GFP_KERNEL)))
return -ENOMEM;

dr = dl->dev_req;
Expand Down

0 comments on commit c6bf514

Please sign in to comment.