net: clear heap allocation for ETHTOOL_GRXCLSRLALL

commit ae6df5f96a51818d6376da5307d773baeece4014 upstream. Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel heap without clearing it. For the one driver (niu) that implements it, it will leave the unused portion of heap unchanged and copy the full contents back to userspace. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
author: Kees Cook <kees.cook@canonical.com> 2010-10-07 10:03:48 +0000
committer: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17 16:15:37 -0400
commit: 5fdf1fe64e1713adaccb5c9e7151a1ff3fda2db1 (patch)
tree: 37a50b86d21ce851f2d78a7d3e3aab1607bb67f5 /net
parent: 7f455daeb1a1c97fc94669af41def9386e426c6f (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 5328c62fa0a..49a23380944 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -349,7 +349,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
 	if (info.cmd == ETHTOOL_GRXCLSRLALL) {
 		if (info.rule_cnt > 0) {
 			if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
-				rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
+				rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
 						   GFP_USER);
 			if (!rule_buf)
 				return -ENOMEM;
author	Kees Cook <kees.cook@canonical.com>	2010-10-07 10:03:48 +0000
committer	Paul Gortmaker <paul.gortmaker@windriver.com>	2011-04-17 16:15:37 -0400
commit	5fdf1fe64e1713adaccb5c9e7151a1ff3fda2db1 (patch)
tree	37a50b86d21ce851f2d78a7d3e3aab1607bb67f5 /net
parent	7f455daeb1a1c97fc94669af41def9386e426c6f (diff)