On Fri, Oct 30, 2015 at 05:33:03AM -0700, Loganaden Velvindron wrote:
> counterstmp is not cleared before it is used in get_counters(). it might be
> leaked partially when it is sent to userland later on.
get_counters() is memcpy'ing the old counter to the counterstmp area
and updating it.
Where is there leak?
> Signed-off-by: Loganaden Velvindron <logan@xxxxxxxxxxxx>
> ---
> net/bridge/netfilter/ebtables.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index f46ca41..26922e9 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -989,7 +989,7 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
> the check on the size is done later, when we have the lock */
> if (repl->num_counters) {
> unsigned long size = repl->num_counters * sizeof(*counterstmp);
> - counterstmp = vmalloc(size);
> + counterstmp = vzalloc(size);
> if (!counterstmp)
> return -ENOMEM;
> }
> @@ -1410,7 +1410,7 @@ static int copy_counters_to_user(struct ebt_table *t,
> return -EINVAL;
> }
>
> - counterstmp = vmalloc(nentries * sizeof(*counterstmp));
> + counterstmp = vzalloc(nentries * sizeof(*counterstmp));
> if (!counterstmp)
> return -ENOMEM;
>
> --
> 2.6.1
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
