Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Jan 2018 19:34:23 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r327500 - head/sys/dev/ath
Message-ID:  <201801021934.w02JYNAY022698@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: emaste
Date: Tue Jan  2 19:34:23 2018
New Revision: 327500
URL: https://svnweb.freebsd.org/changeset/base/327500

Log:
  ath: fix possible memory disclosures in ioctl handlers
  
  Apply the fix from r327499 to additional ioctl handlers.
  
  Reported by:	Ilja van Sprundel <ivansprundel@ioactive.com>
  MFC after:	1 week
  MFC with:	r327499
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/dev/ath/if_ath_lna_div.c
  head/sys/dev/ath/if_ath_spectral.c

Modified: head/sys/dev/ath/if_ath_lna_div.c
==============================================================================
--- head/sys/dev/ath/if_ath_lna_div.c	Tue Jan  2 19:29:30 2018	(r327499)
+++ head/sys/dev/ath/if_ath_lna_div.c	Tue Jan  2 19:34:23 2018	(r327500)
@@ -189,7 +189,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -198,6 +198,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

Modified: head/sys/dev/ath/if_ath_spectral.c
==============================================================================
--- head/sys/dev/ath/if_ath_spectral.c	Tue Jan  2 19:29:30 2018	(r327499)
+++ head/sys/dev/ath/if_ath_spectral.c	Tue Jan  2 19:34:23 2018	(r327500)
@@ -219,7 +219,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -282,6 +282,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
 		break;
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801021934.w02JYNAY022698>