From 5c4afd5558efcd54152d0be4d56c90e4c6860ef9 Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Mon, 14 Mar 2016 23:15:20 -0500 Subject: [PATCH] OPENAFS-SA-2016-002 VldbListByAttributes information leak The VldbListByAttributes structure is used as an input to several RPCs; it contains a Mask field that controls which of the other fields will actually be read by the server during the RPC processing. Unfortunately, the client only wrote to the fields indicated by the mask, leaving the other fields uninitialized for transmission on the wire, leaking some contents of client memory. Plug the information leak by zeroing the entire structure before use. FIXES 132847 Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e --- src/bucoord/commands.c | 1 + src/libadmin/vos/vsprocs.c | 1 + src/volser/vos.c | 4 ++-- src/volser/vsprocs.c | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/bucoord/commands.c b/src/bucoord/commands.c index a1c1385f9..531c3c57b 100644 --- a/src/bucoord/commands.c +++ b/src/bucoord/commands.c @@ -219,6 +219,7 @@ EvalVolumeSet2(struct bc_config *aconfig, *avols = (struct bc_volumeDump *)0; bulkentries.nbulkentries_len = 0; bulkentries.nbulkentries_val = 0; + memset(&attributes, 0, sizeof(attributes)); /* For each of the volume set entries - collect the volumes that match it */ for (tve = avs->ventries; tve; tve = tve->next) { diff --git a/src/libadmin/vos/vsprocs.c b/src/libadmin/vos/vsprocs.c index 060cbf2a2..2fb11deb0 100644 --- a/src/libadmin/vos/vsprocs.c +++ b/src/libadmin/vos/vsprocs.c @@ -3621,6 +3621,7 @@ UV_SyncServer(afs_cell_handle_p cellHandle, struct rx_connection *server, noError = 1; arrayEntries.nbulkentries_val = 0; + memset(&attributes, 0, sizeof(attributes)); /* Set up attributes to search VLDB */ attributes.server = ntohl(rx_HostOf(rx_PeerOf(server))); diff --git a/src/volser/vos.c b/src/volser/vos.c index 3922a9344..28b63a3e2 100644 --- a/src/volser/vos.c +++ b/src/volser/vos.c @@ -4506,7 +4506,7 @@ ListVLDB(struct cmd_syndesc *as, void *arock) aserver = 0; apart = 0; - attributes.Mask = 0; + memset(&attributes, 0, sizeof(attributes)); lock = (as->parms[3].items ? 1 : 0); /* -lock flag */ quiet = (as->parms[4].items ? 1 : 0); /* -quit flag */ sort = (as->parms[5].items ? 0 : 1); /* -nosort flag */ @@ -5009,7 +5009,7 @@ UnlockVLDB(struct cmd_syndesc *as, void *arock) apart = -1; totalE = 0; - attributes.Mask = 0; + memset(&attributes, 0, sizeof(attributes)); if (as->parms[0].items) { /* server specified */ aserver = GetServer(as->parms[0].items->data); diff --git a/src/volser/vsprocs.c b/src/volser/vsprocs.c index 845af9eae..6ef13d79f 100644 --- a/src/volser/vsprocs.c +++ b/src/volser/vsprocs.c @@ -6999,6 +6999,7 @@ UV_SyncServer(afs_uint32 aserver, afs_int32 apart, int flags, int force) aconn = UV_Bind(aserver, AFSCONF_VOLUMEPORT); /* Set up attributes to search VLDB */ + memset(&attributes, 0, sizeof(attributes)); attributes.server = ntohl(aserver); attributes.Mask = VLLIST_SERVER; if ((flags & 1)) { -- 2.39.5