From d701cb4100474ed1b2fd3eeed6193bff4407ed5c Mon Sep 17 00:00:00 2001
From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Thu, 22 Jun 2017 18:57:55 -0700
Subject: [PATCH] tcp: fix out-of-bounds access in ULP sysctl

KASAN reports out-of-bound access in proc_dostring() coming from
proc_tcp_available_ulp() because in case TCP ULP list is empty
the buffer allocated for the response will not have anything
printed into it.  Set the first byte to zero to avoid strlen()
going out-of-bounds.

Fixes: 591678870c9f ("tcp: ULP infrastructure")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv4/tcp_ulp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_ulp.c b/net/ipv4/tcp_ulp.c
index e855ea70819b6..2417f55374c59 100644
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -88,6 +88,7 @@ void tcp_get_available_ulp(char *buf, size_t maxlen)
 	struct tcp_ulp_ops *ulp_ops;
 	size_t offs = 0;
 
+	*buf = '\0';
 	rcu_read_lock();
 	list_for_each_entry_rcu(ulp_ops, &tcp_ulp_list, list) {
 		offs += snprintf(buf + offs, maxlen - offs,
-- 
2.39.5