aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaxim Konovalov <maxim@FreeBSD.org>2005-04-21 18:13:16 +0000
committerMaxim Konovalov <maxim@FreeBSD.org>2005-04-21 18:13:16 +0000
commit0873e93df12c77e1b0640ad604c3401ec2056e70 (patch)
treef572f6b91f1caaba9f9ca22f34bc52496511fba1
parenta39fbcf41c46859057dceea9a479d08a733dbebd (diff)
downloadsrc-0873e93df12c77e1b0640ad604c3401ec2056e70.tar.gz
src-0873e93df12c77e1b0640ad604c3401ec2056e70.zip
o Merge SA-05:04.ifconf.
Approved by: so (cperciva) Thanks for testing to: Valentin Nechayev
Notes
Notes: svn path=/releng/4.9/; revision=145366
-rw-r--r--UPDATING4
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/net/if.c6
3 files changed, 11 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index 9149c3000c63..38bf8b1013e7 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,10 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20050421: p15 FreeBSD-SA-05:04.ifconf
+ Zero a buffer in ifconf() in order to avoid accidental
+ disclosure of kernel memory to userland.
+
20050408: p14 FreeBSD-SA-04:17.procfs, FreeBSD-SA-05:01.telnet,
FreeBSD-SA-05:02.sendfile
Fix a tainted pointer dereference in procfs(5) and linprocfs(5)
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index af4fc7f70a7f..2e61675a1c65 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.9"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/net/if.c b/sys/net/if.c
index 0e5a7243ec31..b5c798a96034 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -1303,6 +1303,12 @@ ifconf(cmd, data)
char workbuf[64];
int ifnlen, addrs;
+ /*
+ * Zero the ifr_name buffer to make sure we don't
+ * disclose the contents of the stack.
+ */
+ memset(ifr.ifr_name, 0, sizeof(ifr.ifr_name));
+
if (space <= sizeof (ifr))
break;
ifnlen = snprintf(workbuf, sizeof(workbuf),