picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

sd-daemon: wipe out memory before using CMSG_NXTHDR()

Browse source 
CMSG_NXTHDR() checks for cmsg->cmsg_len *after* it increased the pointer.
While this makes sense for parsing received messages, that's a pitfall
for code crafting messages with this macro.

Wipe out the allocated memory to fix this.
This commit is contained in:
Daniel Mack 2015-10-12 14:44:26 +02:00
parent 0a41d91f30
commit 40f4423892
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/libsystemd/sd-daemon/sd-daemon.c
View file

@ -454,7 +454,7 @@ _public_ int sd_pid_notify_with_fds(pid_t pid, int unset_environment, const char
(n_fds > 0 ? CMSG_SPACE(sizeof(int) * n_fds) : 0) +
(have_pid ? CMSG_SPACE(sizeof(struct ucred)) : 0);
msghdr.msg_control = alloca(msghdr.msg_controllen);
msghdr.msg_control = alloca0(msghdr.msg_controllen);
cmsg = CMSG_FIRSTHDR(&msghdr);
if (n_fds > 0) {