diff options
| author | Philip Paeps <philip@FreeBSD.org> | 2007-12-05 19:32:07 +0000 |
|---|---|---|
| committer | Philip Paeps <philip@FreeBSD.org> | 2007-12-05 19:32:07 +0000 |
| commit | 6c3c35e413045036ccf83845b238c0e62ba2b738 (patch) | |
| tree | 863e2e88958998a6e8c22156fd6e6f5e25c85a2c /sys/dev/ipw | |
| parent | 817a9ffcc425b1f824f05c423610cb15e7cd4d1e (diff) | |
| download | src-6c3c35e413045036ccf83845b238c0e62ba2b738.tar.gz src-6c3c35e413045036ccf83845b238c0e62ba2b738.zip | |
Plug two potential (root-only, local) information leaks. buf is not
initialized before use and returned integrally instead of up to size.
Submitted by: Ilja van Sprundel <ilja -at- netric.org>
Reviewed by: secteam
MFC after: 1 day
Notes
Notes:
svn path=/head/; revision=174317
Diffstat (limited to 'sys/dev/ipw')
| -rw-r--r-- | sys/dev/ipw/if_ipw.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/dev/ipw/if_ipw.c b/sys/dev/ipw/if_ipw.c index 2f16feb788e2..8a69a405627e 100644 --- a/sys/dev/ipw/if_ipw.c +++ b/sys/dev/ipw/if_ipw.c @@ -2700,10 +2700,10 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS) struct ipw_softc *sc = arg1; uint32_t i, size, buf[256]; - if (!(sc->flags & IPW_FLAG_FW_INITED)) { - memset(buf, 0, sizeof buf); + memset(buf, 0, sizeof buf); + + if (!(sc->flags & IPW_FLAG_FW_INITED)) return SYSCTL_OUT(req, buf, sizeof buf); - } CSR_WRITE_4(sc, IPW_CSR_AUTOINC_ADDR, sc->table1_base); @@ -2711,7 +2711,7 @@ ipw_sysctl_stats(SYSCTL_HANDLER_ARGS) for (i = 1; i < size; i++) buf[i] = MEM_READ_4(sc, CSR_READ_4(sc, IPW_CSR_AUTOINC_DATA)); - return SYSCTL_OUT(req, buf, sizeof buf); + return SYSCTL_OUT(req, buf, size); } static int |