netfilter: conntrack: Use memset_startat() to zero struct nf_conn

In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring fields. Use memset_startat() to avoid confusing memset() about writing beyond the target struct member. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Kees Cook <keescook@chromium.org> 2021-11-18 12:31:13 -0800
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-11-30 22:49:29 +0100
commit: 4be1dbb75c3de6af1888fa79778388fd4e529543 (patch)
tree: 279d9e38b265dfa3efa28bb75d4bcb297d9f432d /net/netfilter
parent: ipvs: remove unused variable for ip_vs_new_dest (diff)
download: linux-dev-4be1dbb75c3de6af1888fa79778388fd4e529543.tar.xz
linux-dev-4be1dbb75c3de6af1888fa79778388fd4e529543.zip
1 files changed, 1 insertions, 3 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 054ee9d25efe..aa657db18318 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1562,9 +1562,7 @@ __nf_conntrack_alloc(struct net *net,
 	ct->status = 0;
 	ct->timeout = 0;
 	write_pnet(&ct->ct_net, net);
-	memset(&ct->__nfct_init_offset, 0,
-	       offsetof(struct nf_conn, proto) -
-	       offsetof(struct nf_conn, __nfct_init_offset));
+	memset_after(ct, 0, __nfct_init_offset);
 
 	nf_ct_zone_add(ct, zone);
author	Kees Cook <keescook@chromium.org>	2021-11-18 12:31:13 -0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-11-30 22:49:29 +0100
commit	4be1dbb75c3de6af1888fa79778388fd4e529543 (patch)
tree	279d9e38b265dfa3efa28bb75d4bcb297d9f432d /net/netfilter
parent	ipvs: remove unused variable for ip_vs_new_dest (diff)
download	linux-dev-4be1dbb75c3de6af1888fa79778388fd4e529543.tar.xz linux-dev-4be1dbb75c3de6af1888fa79778388fd4e529543.zip