OPENAFS-SA-2016-002 VldbListByAttributes information leak

The VldbListByAttributes structure is used as an input to several
RPCs; it contains a Mask field that controls
which of the other fields will actually be read by the server
during the RPC processing.  Unfortunately, the client only
wrote to the fields indicated by the mask, leaving the other
fields uninitialized for transmission on the wire, leaking
some contents of client memory.

Plug the information leak by zeroing the entire structure before use.

FIXES 132847

Change-Id: I14964e98a57ba6ef060c6e392497f1ebd3afe042

diff --git a/src/bucoord/commands.c b/src/bucoord/commands.c
index 554af79f8c980a7df2a9c0cc74fa3252c38c7828..ec16ca182bdda4983c46cd6fa21c0a50c45981c3 100644 (file)
--- a/src/bucoord/commands.c
+++ b/src/bucoord/commands.c
@@ -207,6 +207,7 @@ EvalVolumeSet2(struct bc_config *aconfig,
     *avols = (struct bc_volumeDump *)0;
     bulkentries.nbulkentries_len = 0;
     bulkentries.nbulkentries_val = 0;
+    memset(&attributes, 0, sizeof(attributes));
 
     /* For each of the volume set entries - collect the volumes that match it */
     for (tve = avs->ventries; tve; tve = tve->next) {

diff --git a/src/libadmin/vos/vsprocs.c b/src/libadmin/vos/vsprocs.c
index 28072a4fcfbad1a32c8f01a176095c2f51329b6f..ecc618b977bcc021e4eccd270e839fd4011cde24 100644 (file)
--- a/src/libadmin/vos/vsprocs.c
+++ b/src/libadmin/vos/vsprocs.c
@@ -3604,6 +3604,7 @@ UV_SyncServer(afs_cell_handle_p cellHandle, struct rx_connection *server,
 
     noError = 1;
     arrayEntries.nbulkentries_val = 0;
+    memset(&attributes, 0, sizeof(attributes));
 
     /* Set up attributes to search VLDB  */
     attributes.server = ntohl(rx_HostOf(rx_PeerOf(server)));

diff --git a/src/volser/vos.c b/src/volser/vos.c
index f12312e5a058c6199b55e2a36f68b3110302d7d1..6d4dbc68f7eae978c7cef35fb7accf7bd5f66138 100644 (file)
--- a/src/volser/vos.c
+++ b/src/volser/vos.c
@@ -4547,7 +4547,7 @@ ListVLDB(struct cmd_syndesc *as, void *arock)
 
     apart = 0;
 
-    attributes.Mask = 0;
+    memset(&attributes, 0, sizeof(attributes));
     lock = (as->parms[3].items ? 1 : 0);       /* -lock   flag */
     quiet = (as->parms[4].items ? 1 : 0);      /* -quit   flag */
     sort = (as->parms[5].items ? 0 : 1);       /* -nosort flag */
@@ -5050,7 +5050,7 @@ UnlockVLDB(struct cmd_syndesc *as, void *arock)
 
     apart = -1;
     totalE = 0;
-    attributes.Mask = 0;
+    memset(&attributes, 0, sizeof(attributes));
 
     if (as->parms[0].items) {  /* server specified */
        aserver = GetServer(as->parms[0].items->data);

diff --git a/src/volser/vsprocs.c b/src/volser/vsprocs.c
index c2dfa217eeb9d8a31f77f6e61988bfa573a5d244..6fb3ca195da4c5b091c78d62d1b860bb425ba1b3 100644 (file)
--- a/src/volser/vsprocs.c
+++ b/src/volser/vsprocs.c
@@ -6955,6 +6955,7 @@ UV_SyncServer(afs_uint32 aserver, afs_int32 apart, int flags, int force)
     aconn = UV_Bind(aserver, AFSCONF_VOLUMEPORT);
 
     /* Set up attributes to search VLDB  */
+    memset(&attributes, 0, sizeof(attributes));
     attributes.server = ntohl(aserver);
     attributes.Mask = VLLIST_SERVER;
     if ((flags & 1)) {