From: Mark Vitale <mvitale@sinenomine.net>
Date: Tue, 26 Jun 2018 06:33:05 +0000 (-0400)
Subject: OPENAFS-SA-2018-002 volser: prevent AFSVolPartitionInfo(64) information leak
X-Git-Tag: upstream/1.8.2^2~23
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=28edf734db08d3a8285e89d9d78aa21db726e4c7;p=packages%2Fo%2Fopenafs.git

OPENAFS-SA-2018-002 volser: prevent AFSVolPartitionInfo(64) information leak

AFSVolPartitionInfo and AFSVolPartitionInfo64 (vos partinfo) do not
properly initialize their reply buffers.  This leaks the contents of
volserver memory over the wire:

AFSVolPartitionInfo (struct diskPartition)
- up to 24 bytes in member name (32-'/vicepa\0'))
- up to 12 bytes in member devName (32-'/vicepa/Lock/vicepa\0'))

AFSVolPartitionInfo64 (struct diskPartition64)
- up to 248 bytes in member name (256-'/vicepa\0'))
- up to 236 bytes in member devName (256-'/vicepa/Lock/vicepa\0')

Initialize the output buffers.

[kaduk@mit.edu: move memset to top-level function scope of RPC handlers]

(cherry picked from commit 76e62c1de868c2b2e3cc56a35474e15dc4cc1551)

Change-Id: I041b91873a38a2af40f5b0a00b70cc87634f25c8
---

diff --git a/src/volser/volprocs.c b/src/volser/volprocs.c
index 2c9c3001c..537e50a5d 100644
--- a/src/volser/volprocs.c
+++ b/src/volser/volprocs.c
@@ -420,6 +420,7 @@ SAFSVolPartitionInfo(struct rx_call *acid, char *pname, struct diskPartition
     afs_int32 code;
     struct diskPartition64 *dp = malloc(sizeof(struct diskPartition64));
 
+    memset(partition, 0, sizeof(*partition));
     code = VolPartitionInfo(acid, pname, dp);
     if (!code) {
 	strncpy(partition->name, dp->name, 32);
@@ -439,6 +440,7 @@ SAFSVolPartitionInfo64(struct rx_call *acid, char *pname, struct diskPartition64
 {
     afs_int32 code;
 
+    memset(partition, 0, sizeof(*partition));
     code = VolPartitionInfo(acid, pname, partition);
     osi_auditU(acid, VS_ParInfEvent, code, AUD_STR, pname, AUD_END);
     return code;