diff options
author | cperciva <cperciva@FreeBSD.org> | 2005-05-06 02:50:00 +0000 |
---|---|---|
committer | cperciva <cperciva@FreeBSD.org> | 2005-05-06 02:50:00 +0000 |
commit | e513415af91332f009d9733c7156e1a4a60c244f (patch) | |
tree | b49c2e551390ab52afef3a68a53ec4b29faefa23 /sys/kern/subr_rman.c | |
parent | e4a28513e82eb23a2f1155a31e13cd9091ff21be (diff) | |
download | FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.zip FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.tar.gz |
If we are going to
1. Copy a NULL-terminated string into a fixed-length buffer, and
2. copyout that buffer to userland,
we really ought to
0. Zero the entire buffer
first.
Security: FreeBSD-SA-05:08.kmem
Diffstat (limited to 'sys/kern/subr_rman.c')
-rw-r--r-- | sys/kern/subr_rman.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/kern/subr_rman.c b/sys/kern/subr_rman.c index 61d50a1..31ffa02 100644 --- a/sys/kern/subr_rman.c +++ b/sys/kern/subr_rman.c @@ -761,6 +761,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS) * resource manager. */ if (res_idx == -1) { + bzero(&urm, sizeof(urm)); urm.rm_handle = (uintptr_t)rm; strlcpy(urm.rm_descr, rm->rm_descr, RM_TEXTLEN); urm.rm_start = rm->rm_start; @@ -776,6 +777,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS) */ TAILQ_FOREACH(res, &rm->rm_list, r_link) { if (res_idx-- == 0) { + bzero(&ures, sizeof(ures)); ures.r_handle = (uintptr_t)res; ures.r_parent = (uintptr_t)res->r_rm; ures.r_device = (uintptr_t)res->r_dev; |