From: Johannes Berg <johannes.berg@xxxxxxxxx> When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems better to be safe here, so use kzalloc. Reported-by: Jeff Mahoney <jeffm@xxxxxxxx> Cc: stable@xxxxxxxxxx Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> --- net/wireless/wext-priv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- wireless-testing.orig/net/wireless/wext-priv.c 2010-09-17 00:32:34.000000000 +0200 +++ wireless-testing/net/wireless/wext-priv.c 2010-09-17 00:32:43.000000000 +0200 @@ -152,7 +152,7 @@ static int ioctl_private_iw_point(struct } else if (!iwp->pointer) return -EFAULT; - extra = kmalloc(extra_size, GFP_KERNEL); + extra = kzalloc(extra_size, GFP_KERNEL); if (!extra) return -ENOMEM; -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
