diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-08-24 14:00:30 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-08-24 14:00:30 +0000 |
| commit | f8c702dffb696c8047b94b8e2e14b377d85ddebd (patch) | |
| tree | eed305943566e29a1b3877d2bf85f5ef31f03b93 | |
| parent | d016c6dcaf5f4cffe1776c10e9a875ccb21bc51e (diff) | |
In kernel initialize struct sockaddr_in and sockaddr_in6 to zero
everywhere to avoid passing around pointers to uninitialized stack
memory. While there, fix the call to in6_recoverscope() in
fill_drlist().
OK deraadt@ mpi@
| -rw-r--r-- | sys/net/pipex.c | 30 | ||||
| -rw-r--r-- | sys/netinet/in.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_mroute.c | 4 | ||||
| -rw-r--r-- | sys/netinet6/in6.c | 6 | ||||
| -rw-r--r-- | sys/netinet6/ip6_mroute.c | 3 | ||||
| -rw-r--r-- | sys/netinet6/nd6.c | 8 | ||||
| -rw-r--r-- | sys/nfs/krpc_subr.c | 5 | ||||
| -rw-r--r-- | sys/nfs/nfs_socket.c | 5 |
8 files changed, 41 insertions, 26 deletions
diff --git a/sys/net/pipex.c b/sys/net/pipex.c index 411eae25dec..f0824593574 100644 --- a/sys/net/pipex.c +++ b/sys/net/pipex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex.c,v 1.72 2015/07/16 16:12:15 mpi Exp $ */ +/* $OpenBSD: pipex.c,v 1.73 2015/08/24 14:00:28 bluhm Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -1736,12 +1736,14 @@ drop: struct pipex_session * pipex_pptp_userland_lookup_session_ipv4(struct mbuf *m0, struct in_addr dst) { - struct sockaddr_in sin4; + struct sockaddr_in sin; - sin4.sin_family = AF_INET; - sin4.sin_addr = dst; + memset(&sin, 0, sizeof(sin)); + sin.sin_len = sizeof(sin); + sin.sin_family = AF_INET; + sin.sin_addr = dst; - return pipex_pptp_userland_lookup_session(m0, (struct sockaddr *)&sin4); + return pipex_pptp_userland_lookup_session(m0, sintosa(&sin)); } #ifdef INET6 @@ -1750,10 +1752,12 @@ pipex_pptp_userland_lookup_session_ipv6(struct mbuf *m0, struct in6_addr dst) { struct sockaddr_in6 sin6; + memset(&sin6, 0, sizeof(sin6)); + sin6.sin6_len = sizeof(sin6); sin6.sin6_family = AF_INET6; in6_recoverscope(&sin6, &dst, NULL); - return pipex_pptp_userland_lookup_session(m0, (struct sockaddr *)&sin6); + return pipex_pptp_userland_lookup_session(m0, sin6tosa(&sin6)); } #endif @@ -2168,12 +2172,14 @@ drop: struct pipex_session * pipex_l2tp_userland_lookup_session_ipv4(struct mbuf *m0, struct in_addr dst) { - struct sockaddr_in sin4; + struct sockaddr_in sin; - sin4.sin_family = AF_INET; - sin4.sin_addr = dst; + memset(&sin, 0, sizeof(sin)); + sin.sin_len = sizeof(sin); + sin.sin_family = AF_INET; + sin.sin_addr = dst; - return pipex_l2tp_userland_lookup_session(m0, (struct sockaddr *)&sin4); + return pipex_l2tp_userland_lookup_session(m0, sintosa(&sin)); } #ifdef INET6 @@ -2182,10 +2188,12 @@ pipex_l2tp_userland_lookup_session_ipv6(struct mbuf *m0, struct in6_addr dst) { struct sockaddr_in6 sin6; + memset(&sin6, 0, sizeof(sin6)); + sin6.sin6_len = sizeof(sin6); sin6.sin6_family = AF_INET6; in6_recoverscope(&sin6, &dst, NULL); - return pipex_l2tp_userland_lookup_session(m0, (struct sockaddr *)&sin6); + return pipex_l2tp_userland_lookup_session(m0, sin6tosa(&sin6)); } #endif diff --git a/sys/netinet/in.c b/sys/netinet/in.c index d1fa710c892..5063357db80 100644 --- a/sys/netinet/in.c +++ b/sys/netinet/in.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in.c,v 1.120 2015/07/08 07:56:51 mpi Exp $ */ +/* $OpenBSD: in.c,v 1.121 2015/08/24 14:00:29 bluhm Exp $ */ /* $NetBSD: in.c,v 1.26 1996/02/13 23:41:39 christos Exp $ */ /* @@ -809,7 +809,7 @@ in_addmulti(struct in_addr *ap, struct ifnet *ifp) * New address; allocate a new multicast record * and link it into the interface's multicast list. */ - inm = malloc(sizeof(*inm), M_IPMADDR, M_NOWAIT); + inm = malloc(sizeof(*inm), M_IPMADDR, M_NOWAIT | M_ZERO); if (inm == NULL) return (NULL); @@ -824,6 +824,7 @@ in_addmulti(struct in_addr *ap, struct ifnet *ifp) * Ask the network driver to update its multicast reception * filter appropriately for the new address. */ + memset(&ifr, 0, sizeof(ifr)); memcpy(&ifr.ifr_addr, &inm->inm_sin, sizeof(inm->inm_sin)); if ((*ifp->if_ioctl)(ifp, SIOCADDMULTI,(caddr_t)&ifr) != 0) { free(inm, M_IPMADDR, sizeof(*inm)); @@ -867,6 +868,7 @@ in_delmulti(struct in_multi *inm) * reception filter. */ if (ifp != NULL) { + memset(&ifr, 0, sizeof(ifr)); satosin(&ifr.ifr_addr)->sin_len = sizeof(struct sockaddr_in); satosin(&ifr.ifr_addr)->sin_family = AF_INET; diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c index 19ebc85000d..f55e79c606a 100644 --- a/sys/netinet/ip_mroute.c +++ b/sys/netinet/ip_mroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_mroute.c,v 1.79 2015/07/15 17:55:08 deraadt Exp $ */ +/* $OpenBSD: ip_mroute.c,v 1.80 2015/08/24 14:00:29 bluhm Exp $ */ /* $NetBSD: ip_mroute.c,v 1.85 2004/04/26 01:31:57 matt Exp $ */ /* @@ -889,6 +889,7 @@ add_vif(struct mbuf *m) return (EOPNOTSUPP); /* Enable promiscuous reception of all IP multicasts. */ + memset(&ifr, 0, sizeof(ifr)); satosin(&ifr.ifr_addr)->sin_len = sizeof(struct sockaddr_in); satosin(&ifr.ifr_addr)->sin_family = AF_INET; satosin(&ifr.ifr_addr)->sin_addr = zeroin_addr; @@ -943,6 +944,7 @@ reset_vif(struct vif *vifp) reg_vif_num = VIFI_INVALID; #endif } else { + memset(&ifr, 0, sizeof(ifr)); satosin(&ifr.ifr_addr)->sin_len = sizeof(struct sockaddr_in); satosin(&ifr.ifr_addr)->sin_family = AF_INET; satosin(&ifr.ifr_addr)->sin_addr = zeroin_addr; diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c index 866a8a74e91..6773b0d998b 100644 --- a/sys/netinet6/in6.c +++ b/sys/netinet6/in6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6.c,v 1.165 2015/08/19 13:27:38 bluhm Exp $ */ +/* $OpenBSD: in6.c,v 1.166 2015/08/24 14:00:29 bluhm Exp $ */ /* $KAME: in6.c,v 1.372 2004/06/14 08:14:21 itojun Exp $ */ /* @@ -868,7 +868,7 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra, * join interface-local all-nodes address. * (ff01::1%ifN, and ff01::%ifN/32) */ - bzero(&mltaddr.sin6_addr, sizeof(mltaddr.sin6_addr)); + bzero(&mltaddr, sizeof(mltaddr)); mltaddr.sin6_len = sizeof(struct sockaddr_in6); mltaddr.sin6_family = AF_INET6; mltaddr.sin6_addr = in6addr_intfacelocal_allnodes; @@ -1346,7 +1346,7 @@ in6_addmulti(struct in6_addr *maddr6, struct ifnet *ifp, int *errorp) * New address; allocate a new multicast record * and link it into the interface's multicast list. */ - in6m = malloc(sizeof(*in6m), M_IPMADDR, M_NOWAIT); + in6m = malloc(sizeof(*in6m), M_IPMADDR, M_NOWAIT | M_ZERO); if (in6m == NULL) { *errorp = ENOBUFS; return (NULL); diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c index e6cb30a07cc..ed028a80c63 100644 --- a/sys/netinet6/ip6_mroute.c +++ b/sys/netinet6/ip6_mroute.c @@ -557,6 +557,7 @@ ip6_mrouter_done(void) for (mifi = 0; mifi < nummifs; mifi++) { if (mif6table[mifi].m6_ifp && !(mif6table[mifi].m6_flags & MIFF_REGISTER)) { + memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sin6_family = AF_INET6; ifr.ifr_addr.sin6_addr= in6addr_any; ifp = mif6table[mifi].m6_ifp; @@ -695,6 +696,7 @@ add_m6if(struct mif6ctl *mifcp) * Enable promiscuous reception of all IPv6 multicasts * from the interface. */ + memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sin6_family = AF_INET6; ifr.ifr_addr.sin6_addr = in6addr_any; error = (*ifp->if_ioctl)(ifp, SIOCADDMULTI, (caddr_t)&ifr); @@ -760,6 +762,7 @@ del_m6if(mifi_t *mifip) */ ifp = mifp->m6_ifp; + memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sin6_family = AF_INET6; ifr.ifr_addr.sin6_addr = in6addr_any; (*ifp->if_ioctl)(ifp, SIOCDELMULTI, (caddr_t)&ifr); diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 1f6dca27246..b10dfb51563 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6.c,v 1.146 2015/08/23 14:12:05 naddy Exp $ */ +/* $OpenBSD: nd6.c,v 1.147 2015/08/24 14:00:29 bluhm Exp $ */ /* $KAME: nd6.c,v 1.280 2002/06/08 19:52:07 itojun Exp $ */ /* @@ -1834,9 +1834,7 @@ fill_drlist(void *oldp, size_t *oldlenp, size_t ol) bzero(d, sizeof(*d)); d->rtaddr.sin6_family = AF_INET6; d->rtaddr.sin6_len = sizeof(struct sockaddr_in6); - d->rtaddr.sin6_addr = dr->rtaddr; - in6_recoverscope(&d->rtaddr, &d->rtaddr.sin6_addr, - dr->ifp); + in6_recoverscope(&d->rtaddr, &dr->rtaddr, dr->ifp); d->flags = dr->flags; d->rtlifetime = dr->rtlifetime; d->expire = dr->expire; @@ -1927,9 +1925,9 @@ fill_prlist(void *oldp, size_t *oldlenp, size_t ol) advrtrs++; continue; } + bzero(&sin6, sizeof(sin6)); sin6.sin6_family = AF_INET6; sin6.sin6_len = sizeof(struct sockaddr_in6); - sin6.sin6_addr = pfr->router->rtaddr; in6_recoverscope(&sin6, &pfr->router->rtaddr, pfr->router->ifp); advrtrs++; diff --git a/sys/nfs/krpc_subr.c b/sys/nfs/krpc_subr.c index eb3ab4c134c..eddad29015a 100644 --- a/sys/nfs/krpc_subr.c +++ b/sys/nfs/krpc_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: krpc_subr.c,v 1.28 2015/07/15 22:16:42 deraadt Exp $ */ +/* $OpenBSD: krpc_subr.c,v 1.29 2015/08/24 14:00:29 bluhm Exp $ */ /* $NetBSD: krpc_subr.c,v 1.12.4.1 1996/06/07 00:52:26 cgd Exp $ */ /* @@ -270,7 +270,8 @@ krpc_call(struct sockaddr_in *sa, u_int prog, u_int vers, u_int func, MGET(m, M_WAIT, MT_SONAME); sin = mtod(m, struct sockaddr_in *); - sin->sin_len = m->m_len = sizeof (struct sockaddr_in); + memset(sin, 0, sizeof(*sin)); + sin->sin_len = m->m_len = sizeof(struct sockaddr_in); sin->sin_family = AF_INET; sin->sin_addr.s_addr = INADDR_ANY; sin->sin_port = htons(0); diff --git a/sys/nfs/nfs_socket.c b/sys/nfs/nfs_socket.c index a5a2a88cf75..168c70f7de7 100644 --- a/sys/nfs/nfs_socket.c +++ b/sys/nfs/nfs_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nfs_socket.c,v 1.110 2015/07/15 22:16:42 deraadt Exp $ */ +/* $OpenBSD: nfs_socket.c,v 1.111 2015/08/24 14:00:29 bluhm Exp $ */ /* $NetBSD: nfs_socket.c,v 1.27 1996/04/15 20:20:00 thorpej Exp $ */ /* @@ -258,7 +258,8 @@ nfs_connect(struct nfsmount *nmp, struct nfsreq *rep) MGET(m, M_WAIT, MT_SONAME); sin = mtod(m, struct sockaddr_in *); - sin->sin_len = m->m_len = sizeof (struct sockaddr_in); + memset(sin, 0, sizeof(*sin)); + sin->sin_len = m->m_len = sizeof(struct sockaddr_in); sin->sin_family = AF_INET; sin->sin_addr.s_addr = INADDR_ANY; sin->sin_port = htons(0); |