From owner-freebsd-security@FreeBSD.ORG  Fri May  6 20:22:47 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2CDD016A4D4
	for <freebsd-security@freebsd.org>;
	Fri,  6 May 2005 20:22:47 +0000 (GMT)
Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net
	[213.73.91.129])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DD06543D9B
	for <freebsd-security@freebsd.org>;
	Fri,  6 May 2005 20:22:46 +0000 (GMT)
	(envelope-from gemini@geminix.org)
Message-ID: <427BD214.4070201@geminix.org>
Date: Fri, 06 May 2005 22:22:44 +0200
From: Uwe Doering <gemini@geminix.org>
Organization: Private UNIX Site
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050501
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <200505060303.j4633Nif089160@freefall.freebsd.org>
	<427B3F46.8050607@geminix.org>
In-Reply-To: <427B3F46.8050607@geminix.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.50 (FreeBSD))
	id 1DU9LR-0002Jh-OP; Fri, 06 May 2005 22:22:45 +0200
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:08.kmem
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2005 20:22:47 -0000

Uwe Doering wrote:
> FreeBSD Security Advisories wrote:
> 
> [...]
> However, isn't there a similar case in tcp_pcblist()?  Only that this 
> time a "struct xtcpcb" variable is concerned.  It isn't guaranteed to be 
> completely initialized, either.  Especially since it has the same kind 
> of explicit alignment padding at the end as "struct xinpcb" which cannot 
> be expected to become initialized in the course of data assignment in 
> any case.
> [...]

Well, I'm afraid there is another one in unp_pcblist() (uipc_usrreq.c). 
  Same story.  After that I searched the whole kernel sources for 
'_pcblist', but it turned out that tcp_pcblist() and unp_pcblist() are 
the only places that had been overlooked.  At least as far as functions 
named '*_pcblist' are concerned ...

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org  |  http://www.escapebox.net