Skip to content

Commit

Permalink
wext: fix potential private ioctl memory content leak
Browse files Browse the repository at this point in the history 
When a driver doesn't fill the entire buffer, old
heap contents may remain, and if it also doesn't
update the length properly, this old heap content
will be copied back to userspace.

It is very unlikely that this happens in any of
the drivers using private ioctls since it would
show up as junk being reported by iwpriv, but it
seems better to be safe here, so use kzalloc.

Reported-by: Jeff Mahoney <jeffm@suse.com>
Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
  • Loading branch information
Johannes Berg authored and John W. Linville committed Sep 20, 2010
1 parent 7acc7c6 commit df6d023
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/wireless/wext-priv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ static int ioctl_private_iw_point(struct iw_point *iwp, unsigned int cmd,
} else if (!iwp->pointer)
return -EFAULT;

extra = kmalloc(extra_size, GFP_KERNEL);
extra = kzalloc(extra_size, GFP_KERNEL);
if (!extra)
return -ENOMEM;

Expand Down

0 comments on commit df6d023

Please sign in to comment.