diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2007-02-20 17:42:30 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2007-02-20 17:42:30 +0000 |
commit | 98133c6e1d4bb78d264df830f10512387929508b (patch) | |
tree | 11c64c624939110b3af57630be9a11311434a95d | |
parent | 52725fd54971212fb47f236813d441b7b8ac9ee4 (diff) |
for sensors do not leak kernel pointers when copying out to userland;
spotted by art, ok dlg art
-rw-r--r-- | sys/kern/kern_sysctl.c | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index d40e173d43f..1178c4313f3 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sysctl.c,v 1.147 2007/01/12 07:41:31 art Exp $ */ +/* $OpenBSD: kern_sysctl.c,v 1.148 2007/02/20 17:42:29 deraadt Exp $ */ /* $NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $ */ /*- @@ -1776,11 +1776,10 @@ int sysctl_sensors(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen) { - struct sensor *s; - struct sensordev *sd; - int dev; + struct sensor *s, *tmps; + struct sensordev *sd, *tmpsd; + int dev, numt, ret; enum sensor_type type; - int numt; if (namelen != 1 && namelen != 3) return (ENOTDIR); @@ -1791,8 +1790,17 @@ sysctl_sensors(int *name, u_int namelen, void *oldp, size_t *oldlenp, if (sd == NULL) return (ENOENT); - return (sysctl_rdstruct(oldp, oldlenp, newp, sd, - sizeof(struct sensordev))); + /* Grab a copy, to clear the kernel pointers */ + tmpsd = malloc(sizeof(*tmpsd), M_TEMP, M_WAITOK); + bcopy(sd, tmpsd, sizeof(*tmpsd)); + bzero(&tmpsd->list, sizeof(tmpsd->list)); + bzero(&tmpsd->sensors_list, sizeof(tmpsd->sensors_list)); + + ret = sysctl_rdstruct(oldp, oldlenp, newp, tmpsd, + sizeof(struct sensordev)); + + free(tmpsd, M_TEMP); + return (ret); } type = name[1]; @@ -1802,7 +1810,15 @@ sysctl_sensors(int *name, u_int namelen, void *oldp, size_t *oldlenp, if (s == NULL) return (ENOENT); - return (sysctl_rdstruct(oldp, oldlenp, newp, s, sizeof(struct sensor))); + /* Grab a copy, to clear the kernel pointers */ + tmps = malloc(sizeof(*tmps), M_TEMP, M_WAITOK); + bcopy(s, tmps, sizeof(*tmps)); + bzero(&tmps->list, sizeof(tmps->list)); + + ret = sysctl_rdstruct(oldp, oldlenp, newp, tmps, + sizeof(struct sensor)); + free(tmps, M_TEMP); + return (ret); } int |