From be0142707ca54f3de99c4886530e7ac9f48dd61c Mon Sep 17 00:00:00 2001
From: Mark Vitale <mvitale@sinenomine.net>
Date: Tue, 26 Jun 2018 05:12:32 -0400
Subject: [PATCH 1/1] OPENAFS-SA-2018-002 butc: prevent TC_DumpStatus,
 TC_ScanStatus information leaks

TC_ScanStatus (backup status) and TC_GetStatus (internal backup status
watcher) do not initialize their output buffers.  They leak memory
contents over the wire:

struct tciStatusS
- up to 64 bytes in member taskName (TC_MAXNAMELEN 64)
- up to 64 bytes in member volumeName  "

Initialize the buffers.

[kaduk@mit.edu: move initialization to top of server routines]

Change-Id: I0337d233e1dced56e351ed00471c9738fcd3b9db
---
 src/butc/tcstatus.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/butc/tcstatus.c b/src/butc/tcstatus.c
index fbe46a4..db06b51 100644
--- a/src/butc/tcstatus.c
+++ b/src/butc/tcstatus.c
@@ -46,14 +46,13 @@ STC_GetStatus(struct rx_call *call, afs_uint32 taskId,
     statusP ptr;
     int retval = 0;
 
+    memset(statusPtr, 0, sizeof(*statusPtr));
     if (callPermitted(call) == 0)
 	return (TC_NOTPERMITTED);
 
     lock_Status();
     ptr = findStatus(taskId);
     if (ptr) {
-	/* strcpy(statusPtr->status, ptr->status); */
-
 	strcpy(statusPtr->taskName, ptr->taskName);
 	strcpy(statusPtr->volumeName, ptr->volumeName);
 	statusPtr->taskId = ptr->taskId;
@@ -133,6 +132,7 @@ STC_ScanStatus(struct rx_call *call, afs_uint32 *taskId,
     statusP ptr = 0;
     dlqlinkP dlqPtr;
 
+    memset(statusPtr, 0, sizeof(*statusPtr));
     if (callPermitted(call) == 0)
 	return (TC_NOTPERMITTED);
 
-- 
1.9.4