jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 23:10:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

OPENAFS-SA-2016-002 AFSStoreVolumeStatus information leak

Browse Source 
The AFSStoreVolumeStatus structure is used as an input to the
RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls
which of the other fields will actually be read by the server
during the RPC processing.  Unfortunately, the client only
wrote to the fields indicated by the mask, leaving the other
fields uninitialized for transmission on the wire, leaking
some contents of kernel memory.

Plug the information leak by zeroing the entire structure before use.

FIXES 132847

Change-Id: Ib309e6b00b95bc4178740352899d7f940f2eb1ea
This commit is contained in:
Benjamin Kaduk 2016-03-14 23:15:20 -05:00
parent b85c5f9339
commit 67646c7c90
2 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/WINNT/afsd/cm_ioctl.c
View File

@ -652,6 +652,7 @@ cm_IoctlSetVolumeStatus(struct cm_ioctl *ioctlp, struct cm_user *userp, cm_scach
clientchar_t *strp; clientchar_t *strp;
struct rx_connection * rxconnp; struct rx_connection * rxconnp;
memset(&storeStat, 0, sizeof(storeStat));
#ifdef AFS_FREELANCE_CLIENT #ifdef AFS_FREELANCE_CLIENT
if ( scp->fid.cell == AFS_FAKE_ROOT_CELL_ID && scp->fid.volume == AFS_FAKE_ROOT_VOL_ID ) { if ( scp->fid.cell == AFS_FAKE_ROOT_CELL_ID && scp->fid.volume == AFS_FAKE_ROOT_VOL_ID ) {
code = CM_ERROR_NOACCESS; code = CM_ERROR_NOACCESS;

1
src/afs/afs_pioctl.c
View File

@ -2074,6 +2074,7 @@ DECL_PIOCTL(PSetVolumeStatus)
AFS_STATCNT(PSetVolumeStatus); AFS_STATCNT(PSetVolumeStatus);
if (!avc) if (!avc)
return EINVAL; return EINVAL;
memset(&storeStat, 0, sizeof(storeStat));
tvp = afs_GetVolume(&avc->f.fid, areq, READ_LOCK); tvp = afs_GetVolume(&avc->f.fid, areq, READ_LOCK);
if (tvp) { if (tvp) {