3.16.50-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@xxxxxxxxxxxxxx>
commit 50329c8a340c9dea60d837645fcf13fc36bfb84d upstream.
The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the whole struct before filling
it.
Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification")
Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2552,6 +2552,7 @@ static int xfrm_notify_sa(struct xfrm_st
struct nlattr *attr;
id = nlmsg_data(nlh);
+ memset(id, 0, sizeof(*id));
memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr));
id->spi = x->id.spi;
id->family = x->props.family;