From 60d6b01bb9adb0f0c08b47ef889e67d2fc4a7fcb Mon Sep 17 00:00:00 2001 From: emaste Date: Tue, 2 Jan 2018 19:34:23 +0000 Subject: [PATCH] ath: fix possible memory disclosures in ioctl handlers Apply the fix from r327499 to additional ioctl handlers. Reported by: Ilja van Sprundel MFC after: 1 week MFC with: r327499 Sponsored by: The FreeBSD Foundation --- sys/dev/ath/if_ath_lna_div.c | 3 ++- sys/dev/ath/if_ath_spectral.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/dev/ath/if_ath_lna_div.c b/sys/dev/ath/if_ath_lna_div.c index aa4b9a2177cb..7b970285b9b7 100644 --- a/sys/dev/ath/if_ath_lna_div.c +++ b/sys/dev/ath/if_ath_lna_div.c @@ -189,7 +189,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_diag *ad) * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -198,6 +198,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_diag *ad) switch (id) { default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize; diff --git a/sys/dev/ath/if_ath_spectral.c b/sys/dev/ath/if_ath_spectral.c index ea82a7ae09ea..eaf91b9b1cab 100644 --- a/sys/dev/ath/if_ath_spectral.c +++ b/sys/dev/ath/if_ath_spectral.c @@ -219,7 +219,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_diag *ad) * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -282,6 +282,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_diag *ad) break; default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize;