From: Jakub Kicinski Date: Fri, 23 Jun 2017 01:57:55 +0000 (-0700) Subject: tcp: fix out-of-bounds access in ULP sysctl X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=926f38e9744b2ee6d92085c28ebb50744e9e1182;p=openwrt%2Fstaging%2Fblogic.git tcp: fix out-of-bounds access in ULP sysctl KASAN reports out-of-bound access in proc_dostring() coming from proc_tcp_available_ulp() because in case TCP ULP list is empty the buffer allocated for the response will not have anything printed into it. Set the first byte to zero to avoid strlen() going out-of-bounds. Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller --- diff --git a/net/ipv4/tcp_ulp.c b/net/ipv4/tcp_ulp.c index e855ea70819b..2417f55374c5 100644 --- a/net/ipv4/tcp_ulp.c +++ b/net/ipv4/tcp_ulp.c @@ -88,6 +88,7 @@ void tcp_get_available_ulp(char *buf, size_t maxlen) struct tcp_ulp_ops *ulp_ops; size_t offs = 0; + *buf = '\0'; rcu_read_lock(); list_for_each_entry_rcu(ulp_ops, &tcp_ulp_list, list) { offs += snprintf(buf + offs, maxlen - offs,