apm garbage stack value could be accessed

Moritz Buhl Wed, 09 Nov 2022 09:37:52 -0800

Hi tech,

In case send or recv fail in send_command, reply.error is stack
garbage.  This wouldn't be possible if reply was zeroed.  But
checking for ret == 0 ensures that reply was fully written.


OK?
mbuhl

Index: usr.sbin/apm/apm.c
===================================================================
RCS file: /cvs/src/usr.sbin/apm/apm.c,v
retrieving revision 1.42
diff -u -p -r1.42 apm.c
--- usr.sbin/apm/apm.c  10 Sep 2022 10:10:09 -0000      1.42
+++ usr.sbin/apm/apm.c  9 Nov 2022 17:29:03 -0000
@@ -99,6 +99,8 @@ do_zzz(int fd, enum apm_action action)
        char *msg;
        int ret;
 
+       bzero(&reply, sizeof reply);
+
        switch (action) {
        case NONE:
        case SUSPEND:
@@ -119,7 +121,7 @@ do_zzz(int fd, enum apm_action action)
 
        printf("%s...\n", msg);
        ret = send_command(fd, &command, &reply);
-       if (reply.error)
+       if (ret == 0 && reply.error)
                errx(1, "%s: %s", apm_state(reply.newstate), 
strerror(reply.error));
        exit(ret);
 }

apm garbage stack value could be accessed

Reply via email to