tcp: sysctl interface leaks 16 bytes of kernel memory

If the rc_dereference of tcp_fastopen_ctx ever fails then we copy 16 bytes
of kernel stack into the proc result.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 9205e492dc9d8a36b05f18ccedcdf4704867c986..63d4eccc674ddd1d297368166792e99c636658f6 100644 (file)
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -248,6 +248,8 @@ int proc_tcp_fastopen_key(ctl_table *ctl, int write, void __user *buffer,
        ctxt = rcu_dereference(tcp_fastopen_ctx);
        if (ctxt)
                memcpy(user_key, ctxt->key, TCP_FASTOPEN_KEY_LENGTH);
+       else
+               memset(user_key, 0, sizeof(user_key));
        rcu_read_unlock();
 
        snprintf(tbl.data, tbl.maxlen, "%08x-%08x-%08x-%08x",