If we are going to

1. Copy a NULL-terminated string into a fixed-length buffer, and 2. copyout that buffer to userland, we really ought to 0. Zero the entire buffer first. Security: FreeBSD-SA-05:08.kmem
author: cperciva <cperciva@FreeBSD.org> 2005-05-06 02:50:00 +0000
committer: cperciva <cperciva@FreeBSD.org> 2005-05-06 02:50:00 +0000
commit: e513415af91332f009d9733c7156e1a4a60c244f (patch)
tree: b49c2e551390ab52afef3a68a53ec4b29faefa23 /sys/kern/subr_rman.c
parent: e4a28513e82eb23a2f1155a31e13cd9091ff21be (diff)
download: FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.zip
FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/kern/subr_rman.c b/sys/kern/subr_rman.c
index 61d50a1..31ffa02 100644
--- a/sys/kern/subr_rman.c
+++ b/sys/kern/subr_rman.c
@@ -761,6 +761,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS)
 	 * resource manager.
 	 */
 	if (res_idx == -1) {
+		bzero(&urm, sizeof(urm));
 		urm.rm_handle = (uintptr_t)rm;
 		strlcpy(urm.rm_descr, rm->rm_descr, RM_TEXTLEN);
 		urm.rm_start = rm->rm_start;
@@ -776,6 +777,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS)
 	 */
 	TAILQ_FOREACH(res, &rm->rm_list, r_link) {
 		if (res_idx-- == 0) {
+			bzero(&ures, sizeof(ures));
 			ures.r_handle = (uintptr_t)res;
 			ures.r_parent = (uintptr_t)res->r_rm;
 			ures.r_device = (uintptr_t)res->r_dev;
author	cperciva <cperciva@FreeBSD.org>	2005-05-06 02:50:00 +0000
committer	cperciva <cperciva@FreeBSD.org>	2005-05-06 02:50:00 +0000
commit	e513415af91332f009d9733c7156e1a4a60c244f (patch)
tree	b49c2e551390ab52afef3a68a53ec4b29faefa23 /sys/kern/subr_rman.c
parent	e4a28513e82eb23a2f1155a31e13cd9091ff21be (diff)
download	FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.zip FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.tar.gz