svn commit: r268430 - head/sys/kern
Xin LI
delphij at FreeBSD.org
Tue Jul 8 21:54:24 UTC 2014
Author: delphij
Date: Tue Jul 8 21:54:23 2014
New Revision: 268430
URL: http://svnweb.freebsd.org/changeset/base/268430
Log:
Don't leave the padding between the msg header and the cmsg data,
and the padding after the cmsg data un-initialized.
Submitted by: tuexen
Security: CVE-2014-3952
Security: FreeBSD-SA-14:17.kmem
Modified:
head/sys/kern/uipc_sockbuf.c
Modified: head/sys/kern/uipc_sockbuf.c
==============================================================================
--- head/sys/kern/uipc_sockbuf.c Tue Jul 8 21:50:13 2014 (r268429)
+++ head/sys/kern/uipc_sockbuf.c Tue Jul 8 21:54:23 2014 (r268430)
@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int
m->m_len = 0;
KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
("sbcreatecontrol: short mbuf"));
+ /*
+ * Don't leave the padding between the msg header and the
+ * cmsg data and the padding after the cmsg data un-initialized.
+ */
+ bzero(cp, CMSG_SPACE((u_int)size));
if (p != NULL)
(void)memcpy(CMSG_DATA(cp), p, size);
m->m_len = CMSG_SPACE(size);
More information about the svn-src-head
mailing list