OPENAFS-SA-2016-002 VldbListByAttributes information leak

The VldbListByAttributes structure is used as an input to several
RPCs; it contains a Mask field that controls
which of the other fields will actually be read by the server
during the RPC processing.  Unfortunately, the client only
wrote to the fields indicated by the mask, leaving the other
fields uninitialized for transmission on the wire, leaking
some contents of client memory.

Plug the information leak by zeroing the entire structure before use.

FIXES 132847

Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e

diff --git a/src/bucoord/commands.c b/src/bucoord/commands.c
index a1c1385f9f497b09bfbb29af565ef6eecc460c10..531c3c57bd868646f3ce1b6bae9187844890e23a 100644 (file)
--- a/src/bucoord/commands.c
+++ b/src/bucoord/commands.c
@@ -219,6 +219,7 @@ EvalVolumeSet2(struct bc_config *aconfig,
     *avols = (struct bc_volumeDump *)0;
     bulkentries.nbulkentries_len = 0;
     bulkentries.nbulkentries_val = 0;
+    memset(&attributes, 0, sizeof(attributes));
 
     /* For each of the volume set entries - collect the volumes that match it */
     for (tve = avs->ventries; tve; tve = tve->next) {

diff --git a/src/libadmin/vos/vsprocs.c b/src/libadmin/vos/vsprocs.c
index 060cbf2a2d13deddedd337c04aba0cef97d569c3..2fb11deb03a1232483706f07893de24433953616 100644 (file)
--- a/src/libadmin/vos/vsprocs.c
+++ b/src/libadmin/vos/vsprocs.c
@@ -3621,6 +3621,7 @@ UV_SyncServer(afs_cell_handle_p cellHandle, struct rx_connection *server,
 
     noError = 1;
     arrayEntries.nbulkentries_val = 0;
+    memset(&attributes, 0, sizeof(attributes));
 
     /* Set up attributes to search VLDB  */
     attributes.server = ntohl(rx_HostOf(rx_PeerOf(server)));

diff --git a/src/volser/vos.c b/src/volser/vos.c
index 3922a93445be14240f414929c947d1ba01a9566d..28b63a3e257ae9b81df93d292171c1d59dff27bc 100644 (file)
--- a/src/volser/vos.c
+++ b/src/volser/vos.c
@@ -4506,7 +4506,7 @@ ListVLDB(struct cmd_syndesc *as, void *arock)
     aserver = 0;
     apart = 0;
 
-    attributes.Mask = 0;
+    memset(&attributes, 0, sizeof(attributes));
     lock = (as->parms[3].items ? 1 : 0);       /* -lock   flag */
     quiet = (as->parms[4].items ? 1 : 0);      /* -quit   flag */
     sort = (as->parms[5].items ? 0 : 1);       /* -nosort flag */
@@ -5009,7 +5009,7 @@ UnlockVLDB(struct cmd_syndesc *as, void *arock)
 
     apart = -1;
     totalE = 0;
-    attributes.Mask = 0;
+    memset(&attributes, 0, sizeof(attributes));
 
     if (as->parms[0].items) {  /* server specified */
        aserver = GetServer(as->parms[0].items->data);

diff --git a/src/volser/vsprocs.c b/src/volser/vsprocs.c
index 845af9eae7a2c4b663dcd306756c158ff08e8676..6ef13d79f04134047da7c1a50f879966b5c2644a 100644 (file)
--- a/src/volser/vsprocs.c
+++ b/src/volser/vsprocs.c
@@ -6999,6 +6999,7 @@ UV_SyncServer(afs_uint32 aserver, afs_int32 apart, int flags, int force)
     aconn = UV_Bind(aserver, AFSCONF_VOLUMEPORT);
 
     /* Set up attributes to search VLDB  */
+    memset(&attributes, 0, sizeof(attributes));
     attributes.server = ntohl(aserver);
     attributes.Mask = VLLIST_SERVER;
     if ((flags & 1)) {