From: Benjamin Kaduk <kaduk@mit.edu>
Date: Tue, 15 Mar 2016 04:15:20 +0000 (-0500)
Subject: OPENAFS-SA-2016-002 ListAddrByAttributes information leak
X-Git-Tag: upstream/1.6.17^2~2
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=becf282ecf9bec3f266d4f8403c1e93d22ab455a;p=packages%2Fo%2Fopenafs.git

OPENAFS-SA-2016-002 ListAddrByAttributes information leak

The ListAddrByAttributes structure is used as an input to the GetAddrsU
RPC; it contains a Mask field that controls which of the other fields
will actually be read by the server during the RPC processing.
Unfortunately, the client only wrote to the fields indicated by the
mask, leaving the other fields uninitialized for transmission on the
wire, leaking some contents of client memory.

Plug the information leak by zeroing the entire structure before use.

FIXES 132847

Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e
---

diff --git a/src/libadmin/vos/afs_vosAdmin.c b/src/libadmin/vos/afs_vosAdmin.c
index bed8c494f..557feb90e 100644
--- a/src/libadmin/vos/afs_vosAdmin.c
+++ b/src/libadmin/vos/afs_vosAdmin.c
@@ -1199,6 +1199,7 @@ GetServerRPC(void *rpc_specific, int slot, int *last_item,
     bulkaddrs addr_multi;
     int i;
 
+    memset(&m_attrs, 0, sizeof(m_attrs));
     /*
      * Check to see if this is a multihomed address server
      */
diff --git a/src/venus/cacheout.c b/src/venus/cacheout.c
index 2a390ade7..3d44fd9fc 100644
--- a/src/venus/cacheout.c
+++ b/src/venus/cacheout.c
@@ -71,6 +71,7 @@ ListServers(void)
     char hoststr[16];
     ListAddrByAttributes m_attrs;
 
+    memset(&m_attrs, 0, sizeof(m_attrs));
     memset(&addrs, 0, sizeof(addrs));
     memset(&spare3, 0, sizeof(spare3));
     code =
diff --git a/src/vlserver/vlclient.c b/src/vlserver/vlclient.c
index c7bfa7ee8..b29c5d860 100644
--- a/src/vlserver/vlclient.c
+++ b/src/vlserver/vlclient.c
@@ -824,6 +824,7 @@ handleit(struct cmd_syndesc *as, void *arock)
 
 			printf("[0x%x %u] (special multi-homed entry)\n",
 			       *addrp, *addrp);
+			memset(&attrs, 0, sizeof(attrs));
 			attrs.Mask = VLADDR_INDEX;
 			mhaddrs.bulkaddrs_val = 0;
 			mhaddrs.bulkaddrs_len = 0;
@@ -899,6 +900,7 @@ handleit(struct cmd_syndesc *as, void *arock)
 
 			addrs2.bulkaddrs_val = 0;
 			addrs2.bulkaddrs_len = 0;
+			memset(&attrs, 0, sizeof(attrs));
 			attrs.Mask = VLADDR_INDEX;
 			attrs.index = (base * VL_MHSRV_PERBLK) + index;
 			code =