diff options
| author | Johannes Berg | 2010-09-17 00:38:25 +0200 |
|---|---|---|
| committer | John W. Linville | 2010-09-20 19:41:40 +0200 |
| commit | df6d02300f7c2fbd0fbe626d819c8e5237d72c62 (patch) | |
| tree | 7f0eadba6ca9d0cc19b26dc82ec61bc8df4c9fe2 | |
| parent | iwlwifi: do not perferm force reset while doing scan (diff) | |
| download | kernel-qcow2-linux-df6d02300f7c2fbd0fbe626d819c8e5237d72c62.tar.gz kernel-qcow2-linux-df6d02300f7c2fbd0fbe626d819c8e5237d72c62.tar.xz kernel-qcow2-linux-df6d02300f7c2fbd0fbe626d819c8e5237d72c62.zip | |
wext: fix potential private ioctl memory content leak
When a driver doesn't fill the entire buffer, old
heap contents may remain, and if it also doesn't
update the length properly, this old heap content
will be copied back to userspace.
It is very unlikely that this happens in any of
the drivers using private ioctls since it would
show up as junk being reported by iwpriv, but it
seems better to be safe here, so use kzalloc.
Reported-by: Jeff Mahoney <jeffm@suse.com>
Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
| -rw-r--r-- | net/wireless/wext-priv.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/wireless/wext-priv.c b/net/wireless/wext-priv.c index 3feb28e41c53..674d426a9d24 100644 --- a/net/wireless/wext-priv.c +++ b/net/wireless/wext-priv.c @@ -152,7 +152,7 @@ static int ioctl_private_iw_point(struct iw_point *iwp, unsigned int cmd, } else if (!iwp->pointer) return -EFAULT; - extra = kmalloc(extra_size, GFP_KERNEL); + extra = kzalloc(extra_size, GFP_KERNEL); if (!extra) return -ENOMEM; |