Date: Fri, 06 May 2005 22:22:44 +0200 From: Uwe Doering <gemini@geminix.org> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:08.kmem Message-ID: <427BD214.4070201@geminix.org> In-Reply-To: <427B3F46.8050607@geminix.org> References: <200505060303.j4633Nif089160@freefall.freebsd.org> <427B3F46.8050607@geminix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Uwe Doering wrote:
> FreeBSD Security Advisories wrote:
>
> [...]
> However, isn't there a similar case in tcp_pcblist()? Only that this
> time a "struct xtcpcb" variable is concerned. It isn't guaranteed to be
> completely initialized, either. Especially since it has the same kind
> of explicit alignment padding at the end as "struct xinpcb" which cannot
> be expected to become initialized in the course of data assignment in
> any case.
> [...]
Well, I'm afraid there is another one in unp_pcblist() (uipc_usrreq.c).
Same story. After that I searched the whole kernel sources for
'_pcblist', but it turned out that tcp_pcblist() and unp_pcblist() are
the only places that had been overlooked. At least as far as functions
named '*_pcblist' are concerned ...
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?427BD214.4070201>