aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2005-04-15 01:53:14 +0000
committerColin Percival <cperciva@FreeBSD.org>2005-04-15 01:53:14 +0000
commite137478c40733b56a78f049cf96b03aa187bf008 (patch)
tree5f43ea3f9c780c983af5fef88a777ae47150e3d1
parentf08630026f3235f913cf96ad8ffdbff3e7fd6277 (diff)
downloadsrc-e137478c40733b56a78f049cf96b03aa187bf008.tar.gz
src-e137478c40733b56a78f049cf96b03aa187bf008.zip
Zero the ifr.ifr_name buffer in ifconf() in order to avoid
accidental disclosure of kernel memory to userland. Security: FreeBSD-SA-05:04.ifconf Approved by: so (cperciva)
Notes
Notes: svn path=/releng/4.11/; revision=145096
-rw-r--r--UPDATING4
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/net/if.c6
3 files changed, 11 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index c66218c70723..fb35bfc936af 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,10 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20050414: p3 FreeBSD-SA-05:04.ifconf
+ Zero a buffer in ifconf() in order to avoid accidental
+ disclosure of kernel memory to userland.
+
20050404: p2 FreeBSD-SA-05:02.sendfile
Correct kernel memory disclosure bug in sendfile(2).
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index ea723f07792c..688acec22b27 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.11"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/net/if.c b/sys/net/if.c
index 795745204443..9e0883b49396 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -1326,6 +1326,12 @@ ifconf(cmd, data)
char workbuf[64];
int ifnlen, addrs;
+ /*
+ * Zero the ifr_name buffer to make sure we don't
+ * disclose the contents of the stack.
+ */
+ memset(ifr.ifr_name, 0, sizeof(ifr.ifr_name));
+
if (space <= sizeof (ifr))
break;
ifnlen = snprintf(workbuf, sizeof(workbuf),