From 76e62c1de868c2b2e3cc56a35474e15dc4cc1551 Mon Sep 17 00:00:00 2001 From: Mark Vitale Date: Tue, 26 Jun 2018 02:33:05 -0400 Subject: [PATCH] OPENAFS-SA-2018-002 volser: prevent AFSVolPartitionInfo(64) information leak AFSVolPartitionInfo and AFSVolPartitionInfo64 (vos partinfo) do not properly initialize their reply buffers. This leaks the contents of volserver memory over the wire: AFSVolPartitionInfo (struct diskPartition) - up to 24 bytes in member name (32-'/vicepa\0')) - up to 12 bytes in member devName (32-'/vicepa/Lock/vicepa\0')) AFSVolPartitionInfo64 (struct diskPartition64) - up to 248 bytes in member name (256-'/vicepa\0')) - up to 236 bytes in member devName (256-'/vicepa/Lock/vicepa\0') Initialize the output buffers. [kaduk@mit.edu: move memset to top-level function scope of RPC handlers] Change-Id: If64c02f36f10f52bfbab4b21ad1f60032c223c82 --- src/volser/volprocs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/volser/volprocs.c b/src/volser/volprocs.c index 07ba5b4..7061aac 100644 --- a/src/volser/volprocs.c +++ b/src/volser/volprocs.c @@ -382,6 +382,7 @@ SAFSVolPartitionInfo(struct rx_call *acid, char *pname, struct diskPartition afs_int32 code; struct diskPartition64 *dp = malloc(sizeof(struct diskPartition64)); + memset(partition, 0, sizeof(*partition)); code = VolPartitionInfo(acid, pname, dp); if (!code) { strncpy(partition->name, dp->name, 32); @@ -401,6 +402,7 @@ SAFSVolPartitionInfo64(struct rx_call *acid, char *pname, struct diskPartition64 { afs_int32 code; + memset(partition, 0, sizeof(*partition)); code = VolPartitionInfo(acid, pname, partition); osi_auditU(acid, VS_ParInfEvent, code, AUD_STR, pname, AUD_END); return code; -- 1.9.4