From 6cdfce3c9a5712a6a3088c1f3693a6b782771375 Mon Sep 17 00:00:00 2001 From: Mark Vitale Date: Tue, 26 Jun 2018 03:37:37 -0400 Subject: [PATCH] OPENAFS-SA-2018-002 ptserver: prevent PR_ListEntries information leak PR_ListEntries (pts listentries) does not properly initialize its output buffers. This leaks ptserver memory over the wire: struct prlistentries - up to 62 bytes for each entry name (PR_MAXNAMELEN 64 - 'a\0') Initialize the buffer, and remove the now redundant memset for the reserved fields. (cherry picked from commit 9d1aeb5d761581a35bef2042e9116b96e9ae3bf5) (cherry picked from commit e19ad4cdde463d2bbb4b815525da992bd5fc2648) (cherry picked from commit 7ee25861685a4f56b304627ca2a0dbfed179646d) Change-Id: I42d32876ddf8fa98744620fdf75b4e0783b93aba --- src/ptserver/ptprocs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c index 181cc2860f..2303c7399d 100644 --- a/src/ptserver/ptprocs.c +++ b/src/ptserver/ptprocs.c @@ -1647,6 +1647,7 @@ put_prentries(struct prentry *tentry, prentries *bulkentries) entry = (struct prlistentries *)bulkentries->prentries_val; entry += bulkentries->prentries_len; + memset(entry, 0, sizeof(*entry)); entry->flags = tentry->flags >> PRIVATE_SHIFT; if (entry->flags == 0) { entry->flags = @@ -1661,7 +1662,6 @@ put_prentries(struct prentry *tentry, prentries *bulkentries) entry->nusers = tentry->nusers; entry->count = tentry->count; strncpy(entry->name, tentry->name, PR_MAXNAMELEN); - memset(entry->reserved, 0, sizeof(entry->reserved)); bulkentries->prentries_len++; return 0; }