From: Mark Vitale <mvitale@sinenomine.net>
Date: Tue, 26 Jun 2018 07:56:24 +0000 (-0400)
Subject: OPENAFS-SA-2018-002 afs: prevent RXAFSCB_TellMeAboutYourself information leak
X-Git-Tag: upstream/1.8.2^2~19
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=a6557ffa64d8fab3526c4f89629dcbb965a27780;p=packages%2Fo%2Fopenafs.git

OPENAFS-SA-2018-002 afs: prevent RXAFSCB_TellMeAboutYourself information leak

RXAFSCB_TellMeAboutYourself does not completely initialize its output
buffers.  This leaks kernel memory over the wire:

struct interfaceAddr
Unix cache manager (libafs)
- up to 124 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 * 4) - 4))
- up to 124 bytes in array subnetmask	"
- up to 124 bytes in array mtu		"

Windows cache manager
- 64 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 - CM_MAXINTERFACE_ADDR 16)* 4)
- 64 bytes in array subnetmask	"
- 64 bytes in array mtu         "

The following implementations of SRXAFSCB_TellMeAboutYourself are not susceptible:
- fsprobe
- libafscp
- xstat_fs_test

Initialize the buffer.

(cherry picked from commit 211b6d6a4307006da1467b3be46912a3a5d7b20b)

Change-Id: I2fee5cc9c11ea42726c7c8f9a7d14eafee6142f0
---

diff --git a/src/WINNT/afsd/cm_callback.c b/src/WINNT/afsd/cm_callback.c
index 5816bbe3c..a5db1403e 100644
--- a/src/WINNT/afsd/cm_callback.c
+++ b/src/WINNT/afsd/cm_callback.c
@@ -1256,6 +1256,7 @@ SRXAFSCB_TellMeAboutYourself( struct rx_call *callp,
     }
 
     /* return all network interface addresses */
+    memset(addr, 0, sizeof(*addr));
     addr->numberOfInterfaces = cm_noIPAddr;
     addr->uuid = cm_data.Uuid;
     for ( i=0; i < cm_noIPAddr; i++ ) {
diff --git a/src/afs/afs_callback.c b/src/afs/afs_callback.c
index 2bad7c94a..038cddab2 100644
--- a/src/afs/afs_callback.c
+++ b/src/afs/afs_callback.c
@@ -1619,6 +1619,7 @@ SRXAFSCB_TellMeAboutYourself(struct rx_call *a_call,
     ObtainReadLock(&afs_xinterface);
 
     /* return all network interface addresses */
+    memset(addr, 0, sizeof(*addr));
     addr->numberOfInterfaces = afs_cb_interface.numberOfInterfaces;
     addr->uuid = afs_cb_interface.uuid;
     for (i = 0; i < afs_cb_interface.numberOfInterfaces; i++) {