From 28edf734db08d3a8285e89d9d78aa21db726e4c7 Mon Sep 17 00:00:00 2001 From: Mark Vitale Date: Tue, 26 Jun 2018 02:33:05 -0400 Subject: [PATCH] OPENAFS-SA-2018-002 volser: prevent AFSVolPartitionInfo(64) information leak AFSVolPartitionInfo and AFSVolPartitionInfo64 (vos partinfo) do not properly initialize their reply buffers. This leaks the contents of volserver memory over the wire: AFSVolPartitionInfo (struct diskPartition) - up to 24 bytes in member name (32-'/vicepa\0')) - up to 12 bytes in member devName (32-'/vicepa/Lock/vicepa\0')) AFSVolPartitionInfo64 (struct diskPartition64) - up to 248 bytes in member name (256-'/vicepa\0')) - up to 236 bytes in member devName (256-'/vicepa/Lock/vicepa\0') Initialize the output buffers. [kaduk@mit.edu: move memset to top-level function scope of RPC handlers] (cherry picked from commit 76e62c1de868c2b2e3cc56a35474e15dc4cc1551) Change-Id: I041b91873a38a2af40f5b0a00b70cc87634f25c8 --- src/volser/volprocs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/volser/volprocs.c b/src/volser/volprocs.c index 2c9c3001c..537e50a5d 100644 --- a/src/volser/volprocs.c +++ b/src/volser/volprocs.c @@ -420,6 +420,7 @@ SAFSVolPartitionInfo(struct rx_call *acid, char *pname, struct diskPartition afs_int32 code; struct diskPartition64 *dp = malloc(sizeof(struct diskPartition64)); + memset(partition, 0, sizeof(*partition)); code = VolPartitionInfo(acid, pname, dp); if (!code) { strncpy(partition->name, dp->name, 32); @@ -439,6 +440,7 @@ SAFSVolPartitionInfo64(struct rx_call *acid, char *pname, struct diskPartition64 { afs_int32 code; + memset(partition, 0, sizeof(*partition)); code = VolPartitionInfo(acid, pname, partition); osi_auditU(acid, VS_ParInfEvent, code, AUD_STR, pname, AUD_END); return code; -- 2.39.5