Author: emaste
Date: Thu Apr 5 12:56:40 2018
New Revision: 332066
URL: https://svnweb.freebsd.org/changeset/base/332066
Log:
MFC r332045: Fix kernel memory disclosure in tcp_ctloutput
strcpy was used to copy a string into a buffer copied to userland, which
left uninitialized data after the terminating 0-byte. Use the same
approach as in tcp_subr.c: strncpy and explicit '\0'.
admbugs: 765, 822
Reported by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Reported by: Vlad Tsyrklevich
Security: Kernel memory disclosure
Sponsored by: The FreeBSD Foundation
Modified:
stable/11/sys/netinet/tcp_usrreq.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netinet/tcp_usrreq.c
==============================================================================
--- stable/11/sys/netinet/tcp_usrreq.c Thu Apr 5 12:54:12 2018
(r332065)
+++ stable/11/sys/netinet/tcp_usrreq.c Thu Apr 5 12:56:40 2018
(r332066)
@@ -1495,7 +1495,9 @@ tcp_ctloutput(struct socket *so, struct sockopt *sopt)
return (error);
} else if ((sopt->sopt_dir == SOPT_GET) &&
(sopt->sopt_name == TCP_FUNCTION_BLK)) {
- strcpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name);
+ strncpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name,
+ TCP_FUNCTION_NAME_LEN_MAX);
+ fsn.function_set_name[TCP_FUNCTION_NAME_LEN_MAX - 1] = '\0';
fsn.pcbcnt = tp->t_fb->tfb_refcnt;
INP_WUNLOCK(inp);
error = sooptcopyout(sopt, &fsn, sizeof fsn);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
