From: Johannes Berg Date: Thu, 16 Sep 2010 22:38:25 +0000 (+0200) Subject: wext: fix potential private ioctl memory content leak X-Git-Tag: v2.6.33.8~460 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=99d1bac7375639ceb89e20f5a56b000a2fbf434b;p=karo-tx-linux.git wext: fix potential private ioctl memory content leak commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream. When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems better to be safe here, so use kzalloc. Reported-by: Jeff Mahoney Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman --- diff --git a/net/wireless/wext-priv.c b/net/wireless/wext-priv.c index a3c2277de9e5..7438a34183e2 100644 --- a/net/wireless/wext-priv.c +++ b/net/wireless/wext-priv.c @@ -151,7 +151,7 @@ static int ioctl_private_iw_point(struct iw_point *iwp, unsigned int cmd, } else if (!iwp->pointer) return -EFAULT; - extra = kmalloc(extra_size, GFP_KERNEL); + extra = kzalloc(extra_size, GFP_KERNEL); if (!extra) return -ENOMEM;