From: Daniel Mack <daniel@zonque.org>
Date: Mon, 12 Oct 2015 12:44:26 +0000 (+0200)
Subject: sd-daemon: wipe out memory before using CMSG_NXTHDR()
X-Git-Tag: v228~219^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=40f44238924acf4e7a3ddfc1b0b1c111032bb43d;p=thirdparty%2Fsystemd.git

sd-daemon: wipe out memory before using CMSG_NXTHDR()

CMSG_NXTHDR() checks for cmsg->cmsg_len *after* it increased the pointer.
While this makes sense for parsing received messages, that's a pitfall
for code crafting messages with this macro.

Wipe out the allocated memory to fix this.
---

diff --git a/src/libsystemd/sd-daemon/sd-daemon.c b/src/libsystemd/sd-daemon/sd-daemon.c
index 582fb535290..ae534ba5b94 100644
--- a/src/libsystemd/sd-daemon/sd-daemon.c
+++ b/src/libsystemd/sd-daemon/sd-daemon.c
@@ -454,7 +454,7 @@ _public_ int sd_pid_notify_with_fds(pid_t pid, int unset_environment, const char
                         (n_fds > 0 ? CMSG_SPACE(sizeof(int) * n_fds) : 0) +
                         (have_pid ? CMSG_SPACE(sizeof(struct ucred)) : 0);
 
-                msghdr.msg_control = alloca(msghdr.msg_controllen);
+                msghdr.msg_control = alloca0(msghdr.msg_controllen);
 
                 cmsg = CMSG_FIRSTHDR(&msghdr);
                 if (n_fds > 0) {