3.16.50-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Krause <minipli@xxxxxxxxxxxxxx> commit 50329c8a340c9dea60d837645fcf13fc36bfb84d upstream. The memory reserved to dump the ID of the xfrm state includes a padding byte in struct xfrm_usersa_id added by the compiler for alignment. To prevent the heap info leak, memset(0) the whole struct before filling it. Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification") Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx> Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> --- net/xfrm/xfrm_user.c | 1 + 1 file changed, 1 insertion(+) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2552,6 +2552,7 @@ static int xfrm_notify_sa(struct xfrm_st struct nlattr *attr; id = nlmsg_data(nlh); + memset(id, 0, sizeof(*id)); memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); id->spi = x->id.spi; id->family = x->props.family;