If we are going to

1. Copy a NULL-terminated string into a fixed-length buffer, and 2. copyout that buffer to userland, we really ought to 0. Zero the entire buffer first. Security: FreeBSD-SA-05:08.kmem
2005-05-06 02:50:00 +00:00 · 2005-05-06 02:50:00 +00:00 · e513415af9
commit e513415af9
parent e4a28513e8
7 changed files with 10 additions and 0 deletions
--- a/sys/kern/subr_bus.c
+++ b/sys/kern/subr_bus.c
@ -3954,6 +3954,7 @@ sysctl_devices(SYSCTL_HANDLER_ARGS)
 	/*
 	 * Populate the return array.
 	 */
+	bzero(&udev, sizeof(udev));
 	udev.dv_handle = (uintptr_t)dev;
 	udev.dv_parent = (uintptr_t)dev->parent;
 	if (dev->nameunit == NULL)
--- a/sys/kern/subr_rman.c
+++ b/sys/kern/subr_rman.c
@ -761,6 +761,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS)
 	 * resource manager.
 	 */
 	if (res_idx == -1) {
+		bzero(&urm, sizeof(urm));
 		urm.rm_handle = (uintptr_t)rm;
 		strlcpy(urm.rm_descr, rm->rm_descr, RM_TEXTLEN);
 		urm.rm_start = rm->rm_start;
@ -776,6 +777,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS)
 	 */
 	TAILQ_FOREACH(res, &rm->rm_list, r_link) {
 		if (res_idx-- == 0) {
+			bzero(&ures, sizeof(ures));
 			ures.r_handle = (uintptr_t)res;
 			ures.r_parent = (uintptr_t)res->r_rm;
 			ures.r_device = (uintptr_t)res->r_dev;
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@ -2473,6 +2473,7 @@ sysctl_vfs_conflist(SYSCTL_HANDLER_ARGS)

 	error = 0;
 	TAILQ_FOREACH(vfsp, &vfsconf, vfc_list) {
+		bzero(&xvfsp, sizeof(xvfsp));
 		vfsconf2x(vfsp, &xvfsp);
 		error = SYSCTL_OUT(req, &xvfsp, sizeof xvfsp);
 		if (error)
@ -2517,6 +2518,7 @@ vfs_sysctl(SYSCTL_HANDLER_ARGS)
 				break;
 		if (vfsp == NULL)
 			return (EOPNOTSUPP);
+		bzero(&xvfsp, sizeof(xvfsp));
 		vfsconf2x(vfsp, &xvfsp);
 		return (SYSCTL_OUT(req, &xvfsp, sizeof(xvfsp)));
 	}
@ -2536,6 +2538,7 @@ sysctl_ovfs_conf(SYSCTL_HANDLER_ARGS)
 	struct ovfsconf ovfs;

 	TAILQ_FOREACH(vfsp, &vfsconf, vfc_list) {
+		bzero(&ovfs, sizeof(ovfs));
 		ovfs.vfc_vfsops = vfsp->vfc_vfsops;	/* XXX used as flag */
 		strcpy(ovfs.vfc_name, vfsp->vfc_name);
 		ovfs.vfc_index = vfsp->vfc_typenum;
--- a/sys/net/if_mib.c
+++ b/sys/net/if_mib.c
@ -90,6 +90,7 @@ sysctl_ifdata(SYSCTL_HANDLER_ARGS) /* XXX bad syntax! */
 		return ENOENT;

 	case IFDATA_GENERAL:
+		bzero(&ifmd, sizeof(ifmd));
 		strlcpy(ifmd.ifmd_name, ifp->if_xname, sizeof(ifmd.ifmd_name));

 #define COPY(fld) ifmd.ifmd_##fld = ifp->if_##fld
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@ -577,6 +577,7 @@ div_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@ -847,6 +847,7 @@ rip_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@ -611,6 +611,7 @@ udp_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);