svn commit: r327499 - head/sys/dev/ath
Ed Maste
emaste at FreeBSD.org
Tue Jan 2 19:29:32 UTC 2018
Author: emaste
Date: Tue Jan 2 19:29:30 2018
New Revision: 327499
URL: https://svnweb.freebsd.org/changeset/base/327499
Log:
ath: fix memory disclosure from ath_btcoex_ioctl
The ath_btcoex_ioctl handler allocated a buffer without M_ZERO and
returned it to userland without writing to it.
The device has permissions only for root so this is not urgent, and the
fix can be MFCd and considered for a future EN.
Reported by: Ilja van Sprundel <ivansprundel at ioactive.com>
Submitted by: Domagoj Stolfa <domagoj.stolfa at gmail.com>
Reviewed by: adrian
MFC after: 1 week
Modified:
head/sys/dev/ath/if_ath_btcoex.c
Modified: head/sys/dev/ath/if_ath_btcoex.c
==============================================================================
--- head/sys/dev/ath/if_ath_btcoex.c Tue Jan 2 18:31:32 2018 (r327498)
+++ head/sys/dev/ath/if_ath_btcoex.c Tue Jan 2 19:29:30 2018 (r327499)
@@ -459,7 +459,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -468,6 +468,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
More information about the svn-src-all
mailing list