net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()

CVE-2014-9900

memset() the structure ethtool_wolinfo that has padded bytes
but the padded bytes have not been zeroed out.

Change-Id: If3fd2d872a1b1ab9521d937b86a29fc468a8bbfe
Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
(cherry-picked from commit 63c317dbee97983004dffdd9f742a20d17150071
 https://source.codeaurora.org/quic/la/kernel/msm-3.10)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index d92de0a1f0a49d51ec8329c65d46a4f2ae304ebd..c06c6acf78c58b2eb06f22093d40a2fd44145bfd 100644 (file)
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -1449,11 +1449,13 @@ static int ethtool_reset(struct net_device *dev, char __user *useraddr)
 
 static int ethtool_get_wol(struct net_device *dev, char __user *useraddr)
 {
-       struct ethtool_wolinfo wol = { .cmd = ETHTOOL_GWOL };
+       struct ethtool_wolinfo wol;
 
        if (!dev->ethtool_ops->get_wol)
                return -EOPNOTSUPP;
 
+       memset(&wol, 0, sizeof(struct ethtool_wolinfo));
+       wol.cmd = ETHTOOL_GWOL;
        dev->ethtool_ops->get_wol(dev, &wol);
 
        if (copy_to_user(useraddr, &wol, sizeof(wol)))