svn commit: r327500 - head/sys/dev/ath

[Ed Maste]

Author: emaste
Date: Tue Jan  2 19:34:23 2018
New Revision: 327500
URL: https://svnweb.freebsd.org/changeset/base/327500

Log:
  ath: fix possible memory disclosures in ioctl handlers
  
  Apply the fix from r327499 to additional ioctl handlers.
  
  Reported by:  Ilja van Sprundel <ivansprun...@ioactive.com>
  MFC after:    1 week
  MFC with:     r327499
  Sponsored by: The FreeBSD Foundation

Modified:
  head/sys/dev/ath/if_ath_lna_div.c
  head/sys/dev/ath/if_ath_spectral.c

Modified: head/sys/dev/ath/if_ath_lna_div.c
==============================================================================
--- head/sys/dev/ath/if_ath_lna_div.c   Tue Jan  2 19:29:30 2018        
(r327499)
+++ head/sys/dev/ath/if_ath_lna_div.c   Tue Jan  2 19:34:23 2018        
(r327500)
@@ -189,7 +189,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
                 * pointer for us to use below in reclaiming the buffer;
                 * may want to be more defensive.
                 */
-               outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+               outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
                if (outdata == NULL) {
                        error = ENOMEM;
                        goto bad;
@@ -198,6 +198,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
        switch (id) {
                default:
                        error = EINVAL;
+                       goto bad;
        }
        if (outsize < ad->ad_out_size)
                ad->ad_out_size = outsize;

Modified: head/sys/dev/ath/if_ath_spectral.c
==============================================================================
--- head/sys/dev/ath/if_ath_spectral.c  Tue Jan  2 19:29:30 2018        
(r327499)
+++ head/sys/dev/ath/if_ath_spectral.c  Tue Jan  2 19:34:23 2018        
(r327500)
@@ -219,7 +219,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
                 * pointer for us to use below in reclaiming the buffer;
                 * may want to be more defensive.
                 */
-               outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+               outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
                if (outdata == NULL) {
                        error = ENOMEM;
                        goto bad;
@@ -282,6 +282,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
                break;
                default:
                        error = EINVAL;
+                       goto bad;
        }
        if (outsize < ad->ad_out_size)
                ad->ad_out_size = outsize;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"