svn commit: r268430 - head/sys/kern

Tue, 08 Jul 2014 14:55:30 -0700 

Author: delphij
Date: Tue Jul  8 21:54:23 2014
New Revision: 268430
URL: http://svnweb.freebsd.org/changeset/base/268430

Log:
  Don't leave the padding between the msg header and the cmsg data,
  and the padding after the cmsg data un-initialized.
  
  Submitted by: tuexen
  Security:     CVE-2014-3952
  Security:     FreeBSD-SA-14:17.kmem

Modified:
  head/sys/kern/uipc_sockbuf.c

Modified: head/sys/kern/uipc_sockbuf.c
==============================================================================
--- head/sys/kern/uipc_sockbuf.c        Tue Jul  8 21:50:13 2014        
(r268429)
+++ head/sys/kern/uipc_sockbuf.c        Tue Jul  8 21:54:23 2014        
(r268430)
@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int
        m->m_len = 0;
        KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
            ("sbcreatecontrol: short mbuf"));
+       /*
+        * Don't leave the padding between the msg header and the
+        * cmsg data and the padding after the cmsg data un-initialized.
+        */
+       bzero(cp, CMSG_SPACE((u_int)size));
        if (p != NULL)
                (void)memcpy(CMSG_DATA(cp), p, size);
        m->m_len = CMSG_SPACE(size);
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to