summaryrefslogtreecommitdiffstats
path: root/sys/kern/vfs_subr.c
diff options
context:
space:
mode:
authorcperciva <cperciva@FreeBSD.org>2005-05-06 02:50:00 +0000
committercperciva <cperciva@FreeBSD.org>2005-05-06 02:50:00 +0000
commite513415af91332f009d9733c7156e1a4a60c244f (patch)
treeb49c2e551390ab52afef3a68a53ec4b29faefa23 /sys/kern/vfs_subr.c
parente4a28513e82eb23a2f1155a31e13cd9091ff21be (diff)
downloadFreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.zip
FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.tar.gz
If we are going to
1. Copy a NULL-terminated string into a fixed-length buffer, and 2. copyout that buffer to userland, we really ought to 0. Zero the entire buffer first. Security: FreeBSD-SA-05:08.kmem
Diffstat (limited to 'sys/kern/vfs_subr.c')
-rw-r--r--sys/kern/vfs_subr.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index 001c49e..dee3a1b 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -2473,6 +2473,7 @@ sysctl_vfs_conflist(SYSCTL_HANDLER_ARGS)
error = 0;
TAILQ_FOREACH(vfsp, &vfsconf, vfc_list) {
+ bzero(&xvfsp, sizeof(xvfsp));
vfsconf2x(vfsp, &xvfsp);
error = SYSCTL_OUT(req, &xvfsp, sizeof xvfsp);
if (error)
@@ -2517,6 +2518,7 @@ vfs_sysctl(SYSCTL_HANDLER_ARGS)
break;
if (vfsp == NULL)
return (EOPNOTSUPP);
+ bzero(&xvfsp, sizeof(xvfsp));
vfsconf2x(vfsp, &xvfsp);
return (SYSCTL_OUT(req, &xvfsp, sizeof(xvfsp)));
}
@@ -2536,6 +2538,7 @@ sysctl_ovfs_conf(SYSCTL_HANDLER_ARGS)
struct ovfsconf ovfs;
TAILQ_FOREACH(vfsp, &vfsconf, vfc_list) {
+ bzero(&ovfs, sizeof(ovfs));
ovfs.vfc_vfsops = vfsp->vfc_vfsops; /* XXX used as flag */
strcpy(ovfs.vfc_name, vfsp->vfc_name);
ovfs.vfc_index = vfsp->vfc_typenum;
OpenPOWER on IntegriCloud