structure pads can leak uninitialized memory to userland via copyout,

therefore the mandatory idiom is completely clearing structs before
building them for copyout -- that means ALMOST ALL STRUCTS, because
we never know when some architecture will pad a struct..  In two more
cases, the clearing wasn't performed.
from Reno Robert ZDI
ok millert bluhm

2 files changed, 4 insertions, 2 deletions

diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c
index 3cefb2a2596..d6024e2a3c1 100644
--- a/sys/netinet/ip_mroute.c
+++ b/sys/netinet/ip_mroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_mroute.c,v 1.130 2020/05/27 11:19:29 mpi Exp $	*/
+/*	$OpenBSD: ip_mroute.c,v 1.131 2021/12/15 17:21:08 deraadt Exp $	*/
 /*	$NetBSD: ip_mroute.c,v 1.85 2004/04/26 01:31:57 matt Exp $	*/
 
 /*
@@ -353,6 +353,7 @@ mrt_sysctl_vif(void *oldp, size_t *oldlenp)
 
 	given = *oldlenp;
 	needed = 0;
+	memset(&vinfo, 0, sizeof vinfo);
 	TAILQ_FOREACH(ifp, &ifnet, if_list) {
 		if ((vifp = (struct vif *)ifp->if_mcast) == NULL)
 			continue;
diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c
index 047af4ef390..80aa39b523a 100644
--- a/sys/netinet6/ip6_mroute.c
+++ b/sys/netinet6/ip6_mroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_mroute.c,v 1.126 2021/03/10 10:21:49 jsg Exp $	*/
+/*	$OpenBSD: ip6_mroute.c,v 1.127 2021/12/15 17:21:08 deraadt Exp $	*/
 /*	$NetBSD: ip6_mroute.c,v 1.59 2003/12/10 09:28:38 itojun Exp $	*/
 /*	$KAME: ip6_mroute.c,v 1.45 2001/03/25 08:38:51 itojun Exp $	*/
 
@@ -330,6 +330,7 @@ mrt6_sysctl_mif(void *oldp, size_t *oldlenp)
 
 	given = *oldlenp;
 	needed = 0;
+	memset(&minfo, 0, sizeof minfo);
 	TAILQ_FOREACH(ifp, &ifnet, if_list) {
 		if ((mifp = (struct mif6 *)ifp->if_mcast6) == NULL)
 			continue;