diff options
author | cperciva <cperciva@FreeBSD.org> | 2005-05-06 02:50:00 +0000 |
---|---|---|
committer | cperciva <cperciva@FreeBSD.org> | 2005-05-06 02:50:00 +0000 |
commit | e513415af91332f009d9733c7156e1a4a60c244f (patch) | |
tree | b49c2e551390ab52afef3a68a53ec4b29faefa23 /sys/netinet/udp_usrreq.c | |
parent | e4a28513e82eb23a2f1155a31e13cd9091ff21be (diff) | |
download | FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.zip FreeBSD-src-e513415af91332f009d9733c7156e1a4a60c244f.tar.gz |
If we are going to
1. Copy a NULL-terminated string into a fixed-length buffer, and
2. copyout that buffer to userland,
we really ought to
0. Zero the entire buffer
first.
Security: FreeBSD-SA-05:08.kmem
Diffstat (limited to 'sys/netinet/udp_usrreq.c')
-rw-r--r-- | sys/netinet/udp_usrreq.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 42ee928..ef8c62d 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -611,6 +611,7 @@ udp_pcblist(SYSCTL_HANDLER_ARGS) inp = inp_list[i]; if (inp->inp_gencnt <= gencnt) { struct xinpcb xi; + bzero(&xi, sizeof(xi)); xi.xi_len = sizeof xi; /* XXX should avoid extra copy */ bcopy(inp, &xi.xi_inp, sizeof *inp); |