From c2ee5917b0914026950465c0d4da515901da2989 Mon Sep 17 00:00:00 2001 From: philip Date: Wed, 5 Dec 2007 19:32:07 +0000 Subject: Plug two potential (root-only, local) information leaks. buf is not initialized before use and returned integrally instead of up to size. Submitted by: Ilja van Sprundel Reviewed by: secteam MFC after: 1 day --- sys/dev/ipw/if_ipw.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'sys/dev/ipw') diff --git a/sys/dev/ipw/if_ipw.c b/sys/dev/ipw/if_ipw.c index 2f16feb..8a69a40 100644 --- a/sys/dev/ipw/if_ipw.c +++ b/sys/dev/ipw/if_ipw.c @@ -2700,10 +2700,10 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS) struct ipw_softc *sc = arg1; uint32_t i, size, buf[256]; - if (!(sc->flags & IPW_FLAG_FW_INITED)) { - memset(buf, 0, sizeof buf); + memset(buf, 0, sizeof buf); + + if (!(sc->flags & IPW_FLAG_FW_INITED)) return SYSCTL_OUT(req, buf, sizeof buf); - } CSR_WRITE_4(sc, IPW_CSR_AUTOINC_ADDR, sc->table1_base); @@ -2711,7 +2711,7 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS) for (i = 1; i < size; i++) buf[i] = MEM_READ_4(sc, CSR_READ_4(sc, IPW_CSR_AUTOINC_DATA)); - return SYSCTL_OUT(req, buf, sizeof buf); + return SYSCTL_OUT(req, buf, size); } static int -- cgit v1.1