Plug two potential (root-only, local) information leaks. buf is not
initialized before use and returned integrally instead of up to size. Submitted by: Ilja van Sprundel <ilja -at- netric.org> Reviewed by: secteam MFC after: 1 day
This commit is contained in:
parent
817a9ffcc4
commit
6c3c35e413
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=174317
@ -2700,10 +2700,10 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS)
|
||||
struct ipw_softc *sc = arg1;
|
||||
uint32_t i, size, buf[256];
|
||||
|
||||
if (!(sc->flags & IPW_FLAG_FW_INITED)) {
|
||||
memset(buf, 0, sizeof buf);
|
||||
memset(buf, 0, sizeof buf);
|
||||
|
||||
if (!(sc->flags & IPW_FLAG_FW_INITED))
|
||||
return SYSCTL_OUT(req, buf, sizeof buf);
|
||||
}
|
||||
|
||||
CSR_WRITE_4(sc, IPW_CSR_AUTOINC_ADDR, sc->table1_base);
|
||||
|
||||
@ -2711,7 +2711,7 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS)
|
||||
for (i = 1; i < size; i++)
|
||||
buf[i] = MEM_READ_4(sc, CSR_READ_4(sc, IPW_CSR_AUTOINC_DATA));
|
||||
|
||||
return SYSCTL_OUT(req, buf, sizeof buf);
|
||||
return SYSCTL_OUT(req, buf, size);
|
||||
}
|
||||
|
||||
static int
|
||||
|
@ -3327,15 +3327,15 @@ iwi_sysctl_stats(SYSCTL_HANDLER_ARGS)
|
||||
struct iwi_softc *sc = arg1;
|
||||
uint32_t size, buf[128];
|
||||
|
||||
if (!(sc->flags & IWI_FLAG_FW_INITED)) {
|
||||
memset(buf, 0, sizeof buf);
|
||||
memset(buf, 0, sizeof buf);
|
||||
|
||||
if (!(sc->flags & IWI_FLAG_FW_INITED))
|
||||
return SYSCTL_OUT(req, buf, sizeof buf);
|
||||
}
|
||||
|
||||
size = min(CSR_READ_4(sc, IWI_CSR_TABLE0_SIZE), 128 - 1);
|
||||
CSR_READ_REGION_4(sc, IWI_CSR_TABLE0_BASE, &buf[1], size);
|
||||
|
||||
return SYSCTL_OUT(req, buf, sizeof buf);
|
||||
return SYSCTL_OUT(req, buf, size);
|
||||
}
|
||||
|
||||
static int
|
||||
|
Loading…
Reference in New Issue
Block a user