RXAFSCB_TellMeAboutYourself does not completely initialize its output
buffers. This leaks kernel memory over the wire:
struct interfaceAddr
Unix cache manager (libafs)
- up to 124 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 * 4) - 4))
- up to 124 bytes in array subnetmask "
- up to 124 bytes in array mtu "
Windows cache manager
- 64 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 - CM_MAXINTERFACE_ADDR 16)* 4)
- 64 bytes in array subnetmask "
- 64 bytes in array mtu "
The following implementations of SRXAFSCB_TellMeAboutYourself are not susceptible:
- fsprobe
- libafscp
- xstat_fs_test
Initialize the buffer.
Change-Id: I2ef868dd9269db7004a21cf913b6787948357d10
}
/* return all network interface addresses */
+ memset(addr, 0, sizeof(*addr));
addr->numberOfInterfaces = cm_noIPAddr;
addr->uuid = cm_data.Uuid;
for ( i=0; i < cm_noIPAddr; i++ ) {
ObtainReadLock(&afs_xinterface);
/* return all network interface addresses */
+ memset(addr, 0, sizeof(*addr));
addr->numberOfInterfaces = afs_cb_interface.numberOfInterfaces;
addr->uuid = afs_cb_interface.uuid;
for (i = 0; i < afs_cb_interface.numberOfInterfaces; i++) {