diff options
author | Xin LI <delphij@FreeBSD.org> | 2014-07-08 21:54:23 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2014-07-08 21:54:23 +0000 |
commit | 2827952eb43b9d722faa445be110f0a950715e99 (patch) | |
tree | 280bfe4f2d15ba7be50e0e2aaea5b8c4a00428ad /sys | |
parent | 725d0727322c44ce010c6b502a045f4ac99dacc7 (diff) | |
download | src-2827952eb43b9d722faa445be110f0a950715e99.tar.gz src-2827952eb43b9d722faa445be110f0a950715e99.zip |
Don't leave the padding between the msg header and the cmsg data,
and the padding after the cmsg data un-initialized.
Submitted by: tuexen
Security: CVE-2014-3952
Security: FreeBSD-SA-14:17.kmem
Notes
Notes:
svn path=/head/; revision=268430
Diffstat (limited to 'sys')
-rw-r--r-- | sys/kern/uipc_sockbuf.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c index d804d9ae3f39..258208959801 100644 --- a/sys/kern/uipc_sockbuf.c +++ b/sys/kern/uipc_sockbuf.c @@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int level) m->m_len = 0; KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), ("sbcreatecontrol: short mbuf")); + /* + * Don't leave the padding between the msg header and the + * cmsg data and the padding after the cmsg data un-initialized. + */ + bzero(cp, CMSG_SPACE((u_int)size)); if (p != NULL) (void)memcpy(CMSG_DATA(cp), p, size); m->m_len = CMSG_SPACE(size); |