From 8573f096c9734ab6ec1d697e62d792a264cd2e44 Mon Sep 17 00:00:00 2001 From: Simon Schubert Date: Fri, 6 May 2005 11:52:02 +0000 Subject: [PATCH] Bring in fix from FreeBSD/cperciva: Log: If we are going to 1. Copy a NULL-terminated string into a fixed-length buffer, and 2. copyout that buffer to userland, we really ought to 0. Zero the entire buffer first. Security: FreeBSD-SA-05:08.kmem Thanks to Colin Percival for notifying us! --- sys/kern/vfs_subr.c | 3 ++- sys/net/if_mib.c | 3 ++- sys/netinet/in_pcb.c | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index 72671d8192..e1d3635bc7 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -37,7 +37,7 @@ * * @(#)vfs_subr.c 8.31 (Berkeley) 5/26/95 * $FreeBSD: src/sys/kern/vfs_subr.c,v 1.249.2.30 2003/04/04 20:35:57 tegge Exp $ - * $DragonFly: src/sys/kern/vfs_subr.c,v 1.55 2005/04/19 17:54:42 dillon Exp $ + * $DragonFly: src/sys/kern/vfs_subr.c,v 1.56 2005/05/06 11:52:02 corecode Exp $ */ /* @@ -1445,6 +1445,7 @@ sysctl_ovfs_conf(SYSCTL_HANDLER_ARGS) struct ovfsconf ovfs; for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) { + bzero(&ovfs, sizeof(ovfs)); ovfs.vfc_vfsops = vfsp->vfc_vfsops; /* XXX used as flag */ strcpy(ovfs.vfc_name, vfsp->vfc_name); ovfs.vfc_index = vfsp->vfc_typenum; diff --git a/sys/net/if_mib.c b/sys/net/if_mib.c index 70bdb7b56a..a473a8c096 100644 --- a/sys/net/if_mib.c +++ b/sys/net/if_mib.c @@ -27,7 +27,7 @@ * SUCH DAMAGE. * * $FreeBSD: src/sys/net/if_mib.c,v 1.8.2.1 2000/08/03 00:09:34 ps Exp $ - * $DragonFly: src/sys/net/if_mib.c,v 1.4 2005/01/03 23:25:25 joerg Exp $ + * $DragonFly: src/sys/net/if_mib.c,v 1.5 2005/05/06 11:52:02 corecode Exp $ */ #include @@ -95,6 +95,7 @@ sysctl_ifdata(SYSCTL_HANDLER_ARGS) /* XXX bad syntax! */ return ENOENT; case IFDATA_GENERAL: + bzero(&ifmd, sizeof(ifmd)); strlcpy(ifmd.ifmd_name, ifp->if_xname, sizeof(ifmd.ifmd_name)); #define COPY(fld) ifmd.ifmd_##fld = ifp->if_##fld diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 5b380e1d10..7b8e203baa 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -82,7 +82,7 @@ * * @(#)in_pcb.c 8.4 (Berkeley) 5/24/95 * $FreeBSD: src/sys/netinet/in_pcb.c,v 1.59.2.27 2004/01/02 04:06:42 ambrisko Exp $ - * $DragonFly: src/sys/netinet/in_pcb.c,v 1.34 2005/03/04 03:48:25 hsu Exp $ + * $DragonFly: src/sys/netinet/in_pcb.c,v 1.35 2005/05/06 11:52:02 corecode Exp $ */ #include "opt_ipsec.h" @@ -1202,6 +1202,7 @@ in_pcblist_global(SYSCTL_HANDLER_ARGS) continue; if (prison_xinpcb(req->td, inp)) continue; + bzero(&xi, sizeof xi); xi.xi_len = sizeof xi; bcopy(inp, &xi.xi_inp, sizeof *inp); if (inp->inp_socket) -- 2.41.0