os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
doc/share/security/patches/EN-18:05/mem.11.1.patch
Gordon Tetlow 73d16f03cd Add today's advisories. 
Approved by:	so
Sponsored by:	The FreeBSD Foundation
2018-05-08 17:24:52 +00:00

139 lines
4 KiB
Diff
Raw Blame History

--- sys/compat/linux/linux_ioctl.c.orig
+++ sys/compat/linux/linux_ioctl.c
@@ -253,6 +253,7 @@
} else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) {
struct linux_hd_big_geometry hdbg;
+ memset(&hdbg, 0, sizeof(hdbg));
hdbg.cylinders = fwcylinders;
hdbg.heads = fwheads;
hdbg.sectors = fwsectors;
@@ -2477,6 +2478,7 @@
printf("%s(): ioctl %d on %.*s\n", __func__,
args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname);
#endif
+ memset(ifname, 0, sizeof(ifname));
ifp = ifname_linux_to_bsd(td, lifname, ifname);
if (ifp == NULL)
return (EINVAL);
--- sys/compat/linux/linux_ipc.c.orig
+++ sys/compat/linux/linux_ipc.c
@@ -548,6 +548,9 @@
register_t rval;
int cmd, error;
+ memset(&linux_seminfo, 0, sizeof(linux_seminfo));
+ memset(&linux_semid64, 0, sizeof(linux_semid64));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_RMID:
cmd = IPC_RMID;
@@ -702,6 +705,8 @@
struct l_msqid64_ds linux_msqid64;
struct msqid_ds bsd_msqid;
+ memset(&linux_msqid64, 0, sizeof(linux_msqid64));
+
bsd_cmd = args->cmd & ~LINUX_IPC_64;
switch (bsd_cmd) {
case LINUX_IPC_INFO:
@@ -708,6 +713,7 @@
case LINUX_MSG_INFO: {
struct l_msginfo linux_msginfo;
+ memset(&linux_msginfo, 0, sizeof(linux_msginfo));
/*
* XXX MSG_INFO uses the same data structure but returns different
* dynamic counters in msgpool, msgmap, and msgtql fields.
@@ -833,6 +839,10 @@
struct shmid_ds bsd_shmid;
int error;
+ memset(&linux_shm_info, 0, sizeof(linux_shm_info));
+ memset(&linux_shmid64, 0, sizeof(linux_shmid64));
+ memset(&linux_shminfo64, 0, sizeof(linux_shminfo64));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_INFO: {
--- sys/dev/ath/if_ath_btcoex.c.orig
+++ sys/dev/ath/if_ath_btcoex.c
@@ -457,7 +457,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -466,6 +466,7 @@
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
--- sys/dev/ath/if_ath_ioctl.c.orig
+++ sys/dev/ath/if_ath_ioctl.c
@@ -197,7 +197,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
--- sys/dev/ath/if_ath_lna_div.c.orig
+++ sys/dev/ath/if_ath_lna_div.c
@@ -187,7 +187,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -196,6 +196,7 @@
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
--- sys/dev/ath/if_ath_spectral.c.orig
+++ sys/dev/ath/if_ath_spectral.c
@@ -212,7 +212,7 @@
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -275,6 +275,7 @@
break;
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
--- sys/netinet/tcp_usrreq.c.orig
+++ sys/netinet/tcp_usrreq.c
@@ -1495,7 +1495,9 @@
return (error);
} else if ((sopt->sopt_dir == SOPT_GET) &&
(sopt->sopt_name == TCP_FUNCTION_BLK)) {
- strcpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name);
+ strncpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name,
+ TCP_FUNCTION_NAME_LEN_MAX);
+ fsn.function_set_name[TCP_FUNCTION_NAME_LEN_MAX - 1] = '\0';
fsn.pcbcnt = tp->t_fb->tfb_refcnt;
INP_WUNLOCK(inp);
error = sooptcopyout(sopt, &fsn, sizeof fsn);
Reference in a new issue View git blame Copy permalink