hpt{nr,rr}: plug info leak in hpt_ioctl

The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls
hpt_do_ioctl(), which might not overwrite the entire buffer.

Also zero bytesReturned in case it is not written by hpt_do_ioctl().

The hpt27{nr,rr} device has permissions only for root so this is not urgent,
and the fix can be MFCd and considered for a future EN.

The same issue was reported in the hpt27xx driver by Ilja Van Sprundel.

Reviewed by:	jhb, kib
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation

1 files changed, 2 insertions, 2 deletions

diff --git a/sys/dev/hptnr/hptnr_osm_bsd.c b/sys/dev/hptnr/hptnr_osm_bsd.c
index 0fd09ee93a6e..8afd3e22d2e8 100644
--- a/sys/dev/hptnr/hptnr_osm_bsd.c
+++ b/sys/dev/hptnr/hptnr_osm_bsd.c
@@ -1586,7 +1586,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
 {
 	PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
 	IOCTL_ARG ioctl_args;
-	HPT_U32 bytesReturned;
+	HPT_U32 bytesReturned = 0;
 
 	switch (cmd){
 	case HPT_DO_IOCONTROL:
@@ -1616,7 +1616,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
 		}
 	
 		if (ioctl_args.nOutBufferSize) {
-			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
 			if (!ioctl_args.lpOutBuffer)
 				goto invalid;
 		}