Date: Tue, 2 Jan 2018 19:29:31 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r327499 - head/sys/dev/ath Message-ID: <201801021929.w02JTV1C018833@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Tue Jan 2 19:29:30 2018 New Revision: 327499 URL: https://svnweb.freebsd.org/changeset/base/327499 Log: ath: fix memory disclosure from ath_btcoex_ioctl The ath_btcoex_ioctl handler allocated a buffer without M_ZERO and returned it to userland without writing to it. The device has permissions only for root so this is not urgent, and the fix can be MFCd and considered for a future EN. Reported by: Ilja van Sprundel <ivansprundel@ioactive.com> Submitted by: Domagoj Stolfa <domagoj.stolfa@gmail.com> Reviewed by: adrian MFC after: 1 week Modified: head/sys/dev/ath/if_ath_btcoex.c Modified: head/sys/dev/ath/if_ath_btcoex.c ============================================================================== --- head/sys/dev/ath/if_ath_btcoex.c Tue Jan 2 18:31:32 2018 (r327498) +++ head/sys/dev/ath/if_ath_btcoex.c Tue Jan 2 19:29:30 2018 (r327499) @@ -459,7 +459,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -468,6 +468,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag switch (id) { default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801021929.w02JTV1C018833>