shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-28 02:50:16 +03:00
Code

sd-daemon: wipe out memory before using CMSG_NXTHDR()

Browse Source 
CMSG_NXTHDR() checks for cmsg->cmsg_len *after* it increased the pointer.
While this makes sense for parsing received messages, that's a pitfall
for code crafting messages with this macro.

Wipe out the allocated memory to fix this.
This commit is contained in:
Daniel Mack 2015-10-12 14:44:26 +02:00
parent 0a41d91f30
commit 40f4423892
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libsystemd/sd-daemon/sd-daemon.c
View File

@ -454,7 +454,7 @@ _public_ int sd_pid_notify_with_fds(pid_t pid, int unset_environment, const char
(n_fds > 0 ? CMSG_SPACE(sizeof(int) * n_fds) : 0) +
(have_pid ? CMSG_SPACE(sizeof(struct ucred)) : 0);
msghdr.msg_control = alloca(msghdr.msg_controllen);
msghdr.msg_control = alloca0(msghdr.msg_controllen);
cmsg = CMSG_FIRSTHDR(&msghdr);
if (n_fds > 0) {