[Lucid][CVE-2013-2234] af_key: fix info leaks in notify messages

[Luis Henriques]

From: Mathias Krause <minipli at googlemail.com>

BugLink: http://bugs.launchpad.net/bugs/1198294

CVE-2013-2234

key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
the sadb_msg_reserved member of the broadcasted message and thereby
leak 2 bytes of heap memory to listeners. Fix that.

Signed-off-by: Mathias Krause <minipli at googlemail.com>
Cc: Steffen Klassert <steffen.klassert at secunet.com>
Cc: "David S. Miller" <davem at davemloft.net>
Cc: Herbert Xu <herbert at gondor.apana.org.au>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887)

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/key/af_key.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 4e98193..03d626f 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1726,6 +1726,7 @@ static int key_notify_sa_flush(struct km_event *c)
 	hdr->sadb_msg_version = PF_KEY_V2;
 	hdr->sadb_msg_errno = (uint8_t) 0;
 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+	hdr->sadb_msg_reserved = 0;
 
 	pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
 
@@ -2694,6 +2695,7 @@ static int key_notify_policy_flush(struct km_event *c)
 	hdr->sadb_msg_version = PF_KEY_V2;
 	hdr->sadb_msg_errno = (uint8_t) 0;
 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+	hdr->sadb_msg_reserved = 0;
 	pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
 	return 0;
 
-- 
1.8.1.2