Download raw body.
Uninitialized memory access in pfkeyv2_sysctl
Hi, pfkeyv2_sysctl reads the SA type from uninitialized memory if it is not provided by the caller of sysctl(2) because of a missing length check. The following patch fixes this issue. diff --git sys/net/pfkeyv2.c sys/net/pfkeyv2.c index a6a1648e991..c3be3616d6b 100644 --- sys/net/pfkeyv2.c +++ sys/net/pfkeyv2.c @@ -2705,7 +2705,10 @@ pfkeyv2_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, if (namelen < 1) return (EINVAL); w.w_op = name[0]; - w.w_satype = name[1]; + if (namelen >= 2) + w.w_satype = name[1]; + else + w.w_satype = SADB_SATYPE_UNSPEC; w.w_where = oldp; w.w_len = oldp ? *oldlenp : 0;
Uninitialized memory access in pfkeyv2_sysctl