From 54c4adda4f8746920d25d39873a04138c5518f8b Mon Sep 17 00:00:00 2001 From: canacar Date: Tue, 14 Apr 2026 18:19:50 +0000 Subject: [PATCH] Clear the pointer in tm data structures before passing them to unprivileged side. Prevents address information leak. Reported by Systopia Team, thanks! ok deraadt@ (for the previous version). --- usr.sbin/tcpdump/privsep.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c index 5b978e3365f..3822900d8b5 100644 --- a/usr.sbin/tcpdump/privsep.c +++ b/usr.sbin/tcpdump/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.59 2025/11/14 21:47:31 dlg Exp $ */ +/* $OpenBSD: privsep.c,v 1.60 2026/04/14 18:19:50 canacar Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -585,6 +585,7 @@ impl_localtime(int fd) { struct tm *lt, *gt; time_t t; + const char *zone = NULL; logmsg(LOG_DEBUG, "[priv]: msg PRIV_LOCALTIME received"); @@ -594,16 +595,19 @@ impl_localtime(int fd) * same local buffer */ if ((lt = localtime(&t)) == NULL) errx(1, "localtime()"); + zone = lt->tm_zone; + lt->tm_zone = NULL; must_write(fd, lt, sizeof(*lt)); if ((gt = gmtime(&t)) == NULL) errx(1, "gmtime()"); + gt->tm_zone = NULL; must_write(fd, gt, sizeof(*gt)); - if (lt->tm_zone == NULL) + if (zone == NULL) write_zero(fd); else - write_string(fd, lt->tm_zone); + write_string(fd, zone); } static void @@ -756,12 +760,11 @@ priv_localtime(const time_t *t) must_read(priv_fd, <, sizeof(lt)); must_read(priv_fd, >0, sizeof(gt0)); + if (lt.tm_zone != NULL || gt0.tm_zone != NULL) + errx(1, "%s: pointer leak from privileged portion", __func__); if (read_string(priv_fd, zone, sizeof(zone), __func__)) lt.tm_zone = zone; - else - lt.tm_zone = NULL; - gt0.tm_zone = NULL; gt = >0; return <