Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Jul 2014 21:54:23 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r268430 - head/sys/kern
Message-ID:  <201407082154.s68LsNIo018906@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: delphij
Date: Tue Jul  8 21:54:23 2014
New Revision: 268430
URL: http://svnweb.freebsd.org/changeset/base/268430

Log:
  Don't leave the padding between the msg header and the cmsg data,
  and the padding after the cmsg data un-initialized.
  
  Submitted by:	tuexen
  Security:	CVE-2014-3952
  Security:	FreeBSD-SA-14:17.kmem

Modified:
  head/sys/kern/uipc_sockbuf.c

Modified: head/sys/kern/uipc_sockbuf.c
==============================================================================
--- head/sys/kern/uipc_sockbuf.c	Tue Jul  8 21:50:13 2014	(r268429)
+++ head/sys/kern/uipc_sockbuf.c	Tue Jul  8 21:54:23 2014	(r268430)
@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int
 	m->m_len = 0;
 	KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
 	    ("sbcreatecontrol: short mbuf"));
+	/*
+	 * Don't leave the padding between the msg header and the
+	 * cmsg data and the padding after the cmsg data un-initialized.
+	 */
+	bzero(cp, CMSG_SPACE((u_int)size));
 	if (p != NULL)
 		(void)memcpy(CMSG_DATA(cp), p, size);
 	m->m_len = CMSG_SPACE(size);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201407082154.s68LsNIo018906>