diff options
| author | philip <philip@FreeBSD.org> | 2007-12-05 19:32:07 +0000 |
|---|---|---|
| committer | philip <philip@FreeBSD.org> | 2007-12-05 19:32:07 +0000 |
| commit | c2ee5917b0914026950465c0d4da515901da2989 (patch) | |
| tree | 863e2e88958998a6e8c22156fd6e6f5e25c85a2c /sys | |
| parent | 2271bb9685541401cad85f84d1a3260c2051a516 (diff) | |
| download | FreeBSD-src-c2ee5917b0914026950465c0d4da515901da2989.zip FreeBSD-src-c2ee5917b0914026950465c0d4da515901da2989.tar.gz | |
Plug two potential (root-only, local) information leaks. buf is not
initialized before use and returned integrally instead of up to size.
Submitted by: Ilja van Sprundel <ilja -at- netric.org>
Reviewed by: secteam
MFC after: 1 day
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/dev/ipw/if_ipw.c | 8 | ||||
| -rw-r--r-- | sys/dev/iwi/if_iwi.c | 8 |
2 files changed, 8 insertions, 8 deletions
diff --git a/sys/dev/ipw/if_ipw.c b/sys/dev/ipw/if_ipw.c index 2f16feb..8a69a40 100644 --- a/sys/dev/ipw/if_ipw.c +++ b/sys/dev/ipw/if_ipw.c @@ -2700,10 +2700,10 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS) struct ipw_softc *sc = arg1; uint32_t i, size, buf[256]; - if (!(sc->flags & IPW_FLAG_FW_INITED)) { - memset(buf, 0, sizeof buf); + memset(buf, 0, sizeof buf); + + if (!(sc->flags & IPW_FLAG_FW_INITED)) return SYSCTL_OUT(req, buf, sizeof buf); - } CSR_WRITE_4(sc, IPW_CSR_AUTOINC_ADDR, sc->table1_base); @@ -2711,7 +2711,7 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS) for (i = 1; i < size; i++) buf[i] = MEM_READ_4(sc, CSR_READ_4(sc, IPW_CSR_AUTOINC_DATA)); - return SYSCTL_OUT(req, buf, sizeof buf); + return SYSCTL_OUT(req, buf, size); } static int diff --git a/sys/dev/iwi/if_iwi.c b/sys/dev/iwi/if_iwi.c index f4572d3..97dad68 100644 --- a/sys/dev/iwi/if_iwi.c +++ b/sys/dev/iwi/if_iwi.c @@ -3327,15 +3327,15 @@ iwi_sysctl_stats(SYSCTL_HANDLER_ARGS) struct iwi_softc *sc = arg1; uint32_t size, buf[128]; - if (!(sc->flags & IWI_FLAG_FW_INITED)) { - memset(buf, 0, sizeof buf); + memset(buf, 0, sizeof buf); + + if (!(sc->flags & IWI_FLAG_FW_INITED)) return SYSCTL_OUT(req, buf, sizeof buf); - } size = min(CSR_READ_4(sc, IWI_CSR_TABLE0_SIZE), 128 - 1); CSR_READ_REGION_4(sc, IWI_CSR_TABLE0_BASE, &buf[1], size); - return SYSCTL_OUT(req, buf, sizeof buf); + return SYSCTL_OUT(req, buf, size); } static int |
