d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ath: fix memory disclosure from ath_btcoex_ioctl

Browse Source 
The ath_btcoex_ioctl handler allocated a buffer without M_ZERO and
returned it to userland without writing to it.

The device has permissions only for root so this is not urgent, and the
fix can be MFCd and considered for a future EN.

Reported by:	Ilja van Sprundel <ivansprundel@ioactive.com>
Submitted by:	Domagoj Stolfa <domagoj.stolfa@gmail.com>
Reviewed by:	adrian
MFC after:	1 week
This commit is contained in:
Ed Maste 2018-01-02 19:29:30 +00:00
parent 5d8501f487
commit 85f385b9aa
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sys/dev/ath/if_ath_btcoex.c
View File

@ -459,7 +459,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag *ad)
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
outdata = malloc(outsize, M_TEMP, M_NOWAIT);
outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@ -468,6 +468,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag *ad)
switch (id) {
default:
error = EINVAL;
goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;