Plug two potential (root-only, local) information leaks. buf is not

initialized before use and returned integrally instead of up to size. Submitted by: Ilja van Sprundel <ilja -at- netric.org> Reviewed by: secteam MFC after: 1 day
svn path=/head/; revision=174317
2007-12-05 19:32:07 +00:00 · 2007-12-05 19:32:07 +00:00 · 6c3c35e413 · 2020-12-20 02:59:44 +00:00
commit 6c3c35e413
parent 817a9ffcc4
2 changed files with 8 additions and 8 deletions
--- a/sys/dev/ipw/if_ipw.c
+++ b/sys/dev/ipw/if_ipw.c
@ -2700,10 +2700,10 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS)
 	struct ipw_softc *sc = arg1;
 	uint32_t i, size, buf[256];

-	if (!(sc->flags & IPW_FLAG_FW_INITED)) {
-		memset(buf, 0, sizeof buf);
+	memset(buf, 0, sizeof buf);
+
+	if (!(sc->flags & IPW_FLAG_FW_INITED))
 		return SYSCTL_OUT(req, buf, sizeof buf);
-	}

 	CSR_WRITE_4(sc, IPW_CSR_AUTOINC_ADDR, sc->table1_base);

@ -2711,7 +2711,7 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS)
 	for (i = 1; i < size; i++)
 		buf[i] = MEM_READ_4(sc, CSR_READ_4(sc, IPW_CSR_AUTOINC_DATA));

-	return SYSCTL_OUT(req, buf, sizeof buf);
+	return SYSCTL_OUT(req, buf, size);
 }

 static int
--- a/sys/dev/iwi/if_iwi.c
+++ b/sys/dev/iwi/if_iwi.c
@ -3327,15 +3327,15 @@ iwi_sysctl_stats(SYSCTL_HANDLER_ARGS)
 	struct iwi_softc *sc = arg1;
 	uint32_t size, buf[128];

-	if (!(sc->flags & IWI_FLAG_FW_INITED)) {
-		memset(buf, 0, sizeof buf);
+	memset(buf, 0, sizeof buf);
+
+	if (!(sc->flags & IWI_FLAG_FW_INITED))
 		return SYSCTL_OUT(req, buf, sizeof buf);
-	}

 	size = min(CSR_READ_4(sc, IWI_CSR_TABLE0_SIZE), 128 - 1);
 	CSR_READ_REGION_4(sc, IWI_CSR_TABLE0_BASE, &buf[1], size);

-	return SYSCTL_OUT(req, buf, sizeof buf);
+	return SYSCTL_OUT(req, buf, size);
 }

 static int