Merged from Lupus: net sched: fix some kernel memory leaks

We leak at least 32bits of kernel memory to user land in tc dump, because we dont init all fields (capab ?) of the dumped structure. Use C99 initializers so that holes and non explicit fields are zeroed. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/sched/act_nat.c
2024-11-26 21:10:26 +00:00 · 2013-03-05 10:13:19 +02:00 · 2013-03-05 10:13:19 +02:00 · ce132e9cac
commit ce132e9cac
parent 717ad3e661
5 changed files with 44 additions and 45 deletions
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@ -152,21 +152,24 @@ static int tcf_gact(struct sk_buff *skb, struct tc_action *a, struct tcf_result
 static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
 {
 	unsigned char *b = skb_tail_pointer(skb);
-	struct tc_gact opt;
 	struct tcf_gact *gact = a->priv;
+	struct tc_gact opt = {
+	  .index   = gact->tcf_index,
+	  .refcnt  = gact->tcf_refcnt - ref,
+	  .bindcnt = gact->tcf_bindcnt - bind,
+	  .action  = gact->tcf_action,
+	};
 	struct tcf_t t;

-	opt.index = gact->tcf_index;
-	opt.refcnt = gact->tcf_refcnt - ref;
-	opt.bindcnt = gact->tcf_bindcnt - bind;
-	opt.action = gact->tcf_action;
 	NLA_PUT(skb, TCA_GACT_PARMS, sizeof(opt), &opt);
 #ifdef CONFIG_GACT_PROB
 	if (gact->tcfg_ptype) {
-		struct tc_gact_p p_opt;
-		p_opt.paction = gact->tcfg_paction;
-		p_opt.pval = gact->tcfg_pval;
-		p_opt.ptype = gact->tcfg_ptype;
+		struct tc_gact_p p_opt = {
+		.paction = gact->tcfg_paction,
+		.pval    = gact->tcfg_pval,
+		.ptype   = gact->tcfg_ptype,
+	};
+
 		NLA_PUT(skb, TCA_GACT_PROB, sizeof(p_opt), &p_opt);
 	}
 #endif
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@ -205,15 +205,16 @@ static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind, i
 {
 	unsigned char *b = skb_tail_pointer(skb);
 	struct tcf_mirred *m = a->priv;
-	struct tc_mirred opt;
+	struct tc_mirred opt = {
+	  .index   = m->tcf_index,
+	  .action  = m->tcf_action,
+	  .refcnt  = m->tcf_refcnt - ref,
+	  .bindcnt = m->tcf_bindcnt - bind,
+	  .eaction = m->tcfm_eaction,
+	  .ifindex = m->tcfm_ifindex,
+	};
 	struct tcf_t t;

-	opt.index = m->tcf_index;
-	opt.action = m->tcf_action;
-	opt.refcnt = m->tcf_refcnt - ref;
-	opt.bindcnt = m->tcf_bindcnt - bind;
-	opt.eaction = m->tcfm_eaction;
-	opt.ifindex = m->tcfm_ifindex;
 	NLA_PUT(skb, TCA_MIRRED_PARMS, sizeof(opt), &opt);
 	t.install = jiffies_to_clock_t(jiffies - m->tcf_tm.install);
 	t.lastuse = jiffies_to_clock_t(jiffies - m->tcf_tm.lastuse);
--- a/net/sched/act_nat.c
+++ b/net/sched/act_nat.c
@ -261,28 +261,21 @@ static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a,
 {
 	unsigned char *b = skb_tail_pointer(skb);
 	struct tcf_nat *p = a->priv;
-	struct tc_nat *opt;
+	struct tc_nat opt = {
+	  .old_addr = p->old_addr,
+	  .new_addr = p->new_addr,
+	  .mask     = p->mask,
+	  .flags    = p->flags,
+
+	  .index   = p->tcf_index,
+	  .action  = p->tcf_action,
+	  .refcnt  = p->tcf_refcnt - ref,
+	  .bindcnt = p->tcf_bindcnt - bind,
+	};
 	struct tcf_t t;
 	int s;

-	s = sizeof(*opt);
-
-	/* netlink spinlocks held above us - must use ATOMIC */
-	opt = kzalloc(s, GFP_ATOMIC);
-	if (unlikely(!opt))
-		return -ENOBUFS;
-
-	opt->old_addr = p->old_addr;
-	opt->new_addr = p->new_addr;
-	opt->mask = p->mask;
-	opt->flags = p->flags;
-
-	opt->index = p->tcf_index;
-	opt->action = p->tcf_action;
-	opt->refcnt = p->tcf_refcnt - ref;
-	opt->bindcnt = p->tcf_bindcnt - bind;
-
-	NLA_PUT(skb, TCA_NAT_PARMS, s, opt);
+	NLA_PUT(skb, TCA_NAT_PARMS, sizeof(opt), &opt);
 	t.install = jiffies_to_clock_t(jiffies - p->tcf_tm.install);
 	t.lastuse = jiffies_to_clock_t(jiffies - p->tcf_tm.lastuse);
 	t.expires = jiffies_to_clock_t(p->tcf_tm.expires);
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@ -163,13 +163,14 @@ static inline int tcf_simp_dump(struct sk_buff *skb, struct tc_action *a,
 {
 	unsigned char *b = skb_tail_pointer(skb);
 	struct tcf_defact *d = a->priv;
-	struct tc_defact opt;
+	struct tc_defact opt = {
+	  .index   = d->tcf_index,
+	  .refcnt  = d->tcf_refcnt - ref,
+	  .bindcnt = d->tcf_bindcnt - bind,
+	  .action  = d->tcf_action,
+	};
 	struct tcf_t t;

-	opt.index = d->tcf_index;
-	opt.refcnt = d->tcf_refcnt - ref;
-	opt.bindcnt = d->tcf_bindcnt - bind;
-	opt.action = d->tcf_action;
 	NLA_PUT(skb, TCA_DEF_PARMS, sizeof(opt), &opt);
 	NLA_PUT_STRING(skb, TCA_DEF_DATA, d->tcfd_defdata);
 	t.install = jiffies_to_clock_t(jiffies - d->tcf_tm.install);
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@ -147,13 +147,14 @@ static inline int tcf_skbedit_dump(struct sk_buff *skb, struct tc_action *a,
 {
 	unsigned char *b = skb_tail_pointer(skb);
 	struct tcf_skbedit *d = a->priv;
-	struct tc_skbedit opt;
+	struct tc_skbedit opt = {
+	  .index = d->tcf_index,
+	  .refcnt = d->tcf_refcnt - ref,
+	  .bindcnt = d->tcf_bindcnt - bind,
+	  .action = d->tcf_action;,
+	};
 	struct tcf_t t;

-	opt.index = d->tcf_index;
-	opt.refcnt = d->tcf_refcnt - ref;
-	opt.bindcnt = d->tcf_bindcnt - bind;
-	opt.action = d->tcf_action;
 	NLA_PUT(skb, TCA_SKBEDIT_PARMS, sizeof(opt), &opt);
 	if (d->flags & SKBEDIT_F_PRIORITY)
 		NLA_PUT(skb, TCA_SKBEDIT_PRIORITY, sizeof(d->priority),