summaryrefslogtreecommitdiff
path: root/sys/kern
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2007-02-20 17:42:30 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2007-02-20 17:42:30 +0000
commit98133c6e1d4bb78d264df830f10512387929508b (patch)
tree11c64c624939110b3af57630be9a11311434a95d /sys/kern
parent52725fd54971212fb47f236813d441b7b8ac9ee4 (diff)
for sensors do not leak kernel pointers when copying out to userland;
spotted by art, ok dlg art
Diffstat (limited to 'sys/kern')
-rw-r--r--sys/kern/kern_sysctl.c32
1 files changed, 24 insertions, 8 deletions
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index d40e173d43f..1178c4313f3 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_sysctl.c,v 1.147 2007/01/12 07:41:31 art Exp $ */
+/* $OpenBSD: kern_sysctl.c,v 1.148 2007/02/20 17:42:29 deraadt Exp $ */
/* $NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $ */
/*-
@@ -1776,11 +1776,10 @@ int
sysctl_sensors(int *name, u_int namelen, void *oldp, size_t *oldlenp,
void *newp, size_t newlen)
{
- struct sensor *s;
- struct sensordev *sd;
- int dev;
+ struct sensor *s, *tmps;
+ struct sensordev *sd, *tmpsd;
+ int dev, numt, ret;
enum sensor_type type;
- int numt;
if (namelen != 1 && namelen != 3)
return (ENOTDIR);
@@ -1791,8 +1790,17 @@ sysctl_sensors(int *name, u_int namelen, void *oldp, size_t *oldlenp,
if (sd == NULL)
return (ENOENT);
- return (sysctl_rdstruct(oldp, oldlenp, newp, sd,
- sizeof(struct sensordev)));
+ /* Grab a copy, to clear the kernel pointers */
+ tmpsd = malloc(sizeof(*tmpsd), M_TEMP, M_WAITOK);
+ bcopy(sd, tmpsd, sizeof(*tmpsd));
+ bzero(&tmpsd->list, sizeof(tmpsd->list));
+ bzero(&tmpsd->sensors_list, sizeof(tmpsd->sensors_list));
+
+ ret = sysctl_rdstruct(oldp, oldlenp, newp, tmpsd,
+ sizeof(struct sensordev));
+
+ free(tmpsd, M_TEMP);
+ return (ret);
}
type = name[1];
@@ -1802,7 +1810,15 @@ sysctl_sensors(int *name, u_int namelen, void *oldp, size_t *oldlenp,
if (s == NULL)
return (ENOENT);
- return (sysctl_rdstruct(oldp, oldlenp, newp, s, sizeof(struct sensor)));
+ /* Grab a copy, to clear the kernel pointers */
+ tmps = malloc(sizeof(*tmps), M_TEMP, M_WAITOK);
+ bcopy(s, tmps, sizeof(*tmps));
+ bzero(&tmps->list, sizeof(tmps->list));
+
+ ret = sysctl_rdstruct(oldp, oldlenp, newp, tmps,
+ sizeof(struct sensor));
+ free(tmps, M_TEMP);
+ return (ret);
}
int