diff options
| author | emaste <emaste@FreeBSD.org> | 2018-04-05 12:54:12 +0000 |
|---|---|---|
| committer | emaste <emaste@FreeBSD.org> | 2018-04-05 12:54:12 +0000 |
| commit | 66d2c2b6be81d73a9275aa5de0b8efae9fb2ba1a (patch) | |
| tree | e3d22d2bc8309df4970cbf5c45e0c227bc82c026 | |
| parent | fd3044f1ded864688b8531485782ce0738b744ad (diff) | |
| download | FreeBSD-src-66d2c2b6be81d73a9275aa5de0b8efae9fb2ba1a.zip FreeBSD-src-66d2c2b6be81d73a9275aa5de0b8efae9fb2ba1a.tar.gz | |
MFC r332042: Fix kernel memory disclosure in linux_ioctl_socket
strlcpy is used to copy a string into a buffer to be copied to userland,
previously leaving uninitialized data after the terminating NUL. Zero
the buffer first to avoid a kernel memory disclosure.
admbugs: 765, 811
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reported by: Vlad Tsyrklevich
Sponsored by: The FreeBSD Foundation
| -rw-r--r-- | sys/compat/linux/linux_ioctl.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/compat/linux/linux_ioctl.c b/sys/compat/linux/linux_ioctl.c index e987b25..7a14569 100644 --- a/sys/compat/linux/linux_ioctl.c +++ b/sys/compat/linux/linux_ioctl.c @@ -2478,6 +2478,7 @@ linux_ioctl_socket(struct thread *td, struct linux_ioctl_args *args) printf("%s(): ioctl %d on %.*s\n", __func__, args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname); #endif + memset(ifname, 0, sizeof(ifname)); ifp = ifname_linux_to_bsd(td, lifname, ifname); if (ifp == NULL) return (EINVAL); |
