svn commit: r332066 - stable/11/sys/netinet

[Ed Maste]

Author: emaste
Date: Thu Apr  5 12:56:40 2018
New Revision: 332066
URL: https://svnweb.freebsd.org/changeset/base/332066

Log:
  MFC r332045: Fix kernel memory disclosure in tcp_ctloutput
  
  strcpy was used to copy a string into a buffer copied to userland, which
  left uninitialized data after the terminating 0-byte.  Use the same
  approach as in tcp_subr.c: strncpy and explicit '\0'.
  
  admbugs:	765, 822
  Reported by:	Ilja Van Sprundel <ivansprundel at ioactive.com>
  Reported by:	Vlad Tsyrklevich
  Security:	Kernel memory disclosure
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/sys/netinet/tcp_usrreq.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/tcp_usrreq.c
==============================================================================
--- stable/11/sys/netinet/tcp_usrreq.c	Thu Apr  5 12:54:12 2018	(r332065)
+++ stable/11/sys/netinet/tcp_usrreq.c	Thu Apr  5 12:56:40 2018	(r332066)
@@ -1495,7 +1495,9 @@ tcp_ctloutput(struct socket *so, struct sockopt *sopt)
 		return (error);
 	} else if ((sopt->sopt_dir == SOPT_GET) && 
 	    (sopt->sopt_name == TCP_FUNCTION_BLK)) {
-		strcpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name);
+		strncpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name,
+		    TCP_FUNCTION_NAME_LEN_MAX);
+		fsn.function_set_name[TCP_FUNCTION_NAME_LEN_MAX - 1] = '\0';
 		fsn.pcbcnt = tp->t_fb->tfb_refcnt;
 		INP_WUNLOCK(inp);
 		error = sooptcopyout(sopt, &fsn, sizeof fsn);