b735a9d213
Fix an integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. [13:09] Fix a bug that could lead to kernel memory disclosure with SCTP state cookie. [13:10] Add latest errata notices: Fix a data corruption problem with mfi(4) operating on > 2TB disks in a JBOD. [EN-13:03]
19 lines
645 B
Diff
19 lines
645 B
Diff
Index: sys/netinet/sctp_output.c
|
|
===================================================================
|
|
--- sys/netinet/sctp_output.c (revision 254337)
|
|
+++ sys/netinet/sctp_output.c (revision 254338)
|
|
@@ -5406,6 +5406,14 @@
|
|
}
|
|
SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
|
|
|
|
+ /*
|
|
+ * We might not overwrite the identification[] completely and on
|
|
+ * some platforms time_entered will contain some padding. Therefore
|
|
+ * zero out the cookie to avoid putting uninitialized memory on the
|
|
+ * wire.
|
|
+ */
|
|
+ memset(&stc, 0, sizeof(struct sctp_state_cookie));
|
|
+
|
|
/* the time I built cookie */
|
|
(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
|
|
|