wext: fix potential private ioctl memory content leak

commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream. When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems better to be safe here, so use kzalloc. Reported-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Johannes Berg <johannes.berg@intel.com> 2010-09-17 00:38:25 +0200
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-10-28 21:04:15 -0700
commit: 45d787b8a946313b73e8a8fc5d501c9aea3d8847 (patch)
tree: 1f4271a35521bc748ecb0d81a05f66c95c7b78d8
parent: 1aa14af44cc76d3e38ed4a0b321cab7323a59452 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/wireless/wext.c b/net/wireless/wext.c
index d98ffb75119a..6890b7ecd53a 100644
--- a/net/wireless/wext.c
+++ b/net/wireless/wext.c
@@ -947,7 +947,7 @@ static int ioctl_private_iw_point(struct iw_point *iwp, unsigned int cmd,
 	} else if (!iwp->pointer)
 		return -EFAULT;
 
-	extra = kmalloc(extra_size, GFP_KERNEL);
+	extra = kzalloc(extra_size, GFP_KERNEL);
 	if (!extra)
 		return -ENOMEM;
author	Johannes Berg <johannes.berg@intel.com>	2010-09-17 00:38:25 +0200
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-10-28 21:04:15 -0700
commit	45d787b8a946313b73e8a8fc5d501c9aea3d8847 (patch)
tree	1f4271a35521bc748ecb0d81a05f66c95c7b78d8
parent	1aa14af44cc76d3e38ed4a0b321cab7323a59452 (diff)