From 6f26a945adeca87b669282eed0eaca3dca0a1423 Mon Sep 17 00:00:00 2001 From: Mark Vitale Date: Tue, 26 Jun 2018 04:39:44 -0400 Subject: [PATCH] OPENAFS-SA-2018-002 budb: prevent BUDB_* information leaks The following budb RPCs do not initialize their output correctly. This leaks buserver memory contents over the wire: BUDB_FindLatestDump (backup dump) BUDB_FindDump (backup volrestore, diskrestore, volsetrestore) BUDB_GetDumps (backup dumpinfo) BUDB_FindLastTape (backup dump) struct budb_dumpEntry - up to 32 bytes in member volumeSetName - up to 256 bytes in member dumpPath - up to 32 bytes in member name - up to 32 bytes in member tape.tapeServer - up to 32 bytes in member tape.format - up to 256 bytes in member dumper.name - up to 128 bytes in member dumper.instance - up to 256 bytes in member dumper.cell Initialize the buffer in common routine FillDumpEntry. (cherry picked from commit e96771471134102d3879a0ac8b2c4ef9d91a61b8) Change-Id: I85ec8a21966386baa8243326072e5730726cba96 --- src/budb/procs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/budb/procs.c b/src/budb/procs.c index f2987d3115..f976ff3aa3 100644 --- a/src/budb/procs.c +++ b/src/budb/procs.c @@ -424,6 +424,7 @@ FillDumpEntry(struct ubik_trans *ut, dbadr da, void *rock) struct budb_dumpEntry *dump = (struct budb_dumpEntry *)rock; struct dump d, ad; + memset(dump, 0, sizeof(*dump)); if (dbread(ut, da, &d, sizeof(d))) return BUDB_IO; dump->id = ntohl(d.id);