uninitialized stack memory possibly passed to m_freem

Moritz Buhl Wed, 12 Jan 2022 02:32:11 -0800

Hi tech@,

https://github.com/openbsd/src/commit/0ea6bae06233cd25645df14602c3eda6bdff7dca.patch


the patch forgot to add mrep to the info struct, nfsm_dissect could
pass info.nmi_mrep to m_freem, which is currently uninitialized
stack memory.

Index: sys/nfs/nfs_subs.c
===================================================================
RCS file: /mount/openbsd/cvs/src/sys/nfs/nfs_subs.c,v
retrieving revision 1.145
diff -u -p -r1.145 nfs_subs.c
--- sys/nfs/nfs_subs.c  11 Jan 2022 03:13:59 -0000      1.145
+++ sys/nfs/nfs_subs.c  12 Jan 2022 09:31:52 -0000
@@ -1841,6 +1841,7 @@ nfsm_srvsattr(struct mbuf **mp, struct v
 
        info.nmi_md = *mp;
        info.nmi_dpos = *dposp;
+       info.nmi_mrep = mrep;
 
        nfsm_dissect(tl, u_int32_t *, NFSX_UNSIGNED);
        if (*tl == nfs_true) {

uninitialized stack memory possibly passed to m_freem

Reply via email to