structure pads can leak uninitialized memory to userland via copyout,

therefore the mandatory idiom is completely clearing structs before
building them for copyout -- that means ALMOST ALL STRUCTS, because
we never know when some architecture will pad a struct..  In two more
cases, the clearing wasn't performed.
from Reno Robert ZDI
ok millert bluhm

diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c
index 3cefb2a..d6024e2 100644 (file)
--- a/sys/netinet/ip_mroute.c
+++ b/sys/netinet/ip_mroute.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_mroute.c,v 1.130 2020/05/27 11:19:29 mpi Exp $     */
+/*     $OpenBSD: ip_mroute.c,v 1.131 2021/12/15 17:21:08 deraadt Exp $ */
 /*     $NetBSD: ip_mroute.c,v 1.85 2004/04/26 01:31:57 matt Exp $      */
 
 /*
@@ -353,6 +353,7 @@ mrt_sysctl_vif(void *oldp, size_t *oldlenp)
 
        given = *oldlenp;
        needed = 0;
+       memset(&vinfo, 0, sizeof vinfo);
        TAILQ_FOREACH(ifp, &ifnet, if_list) {
                if ((vifp = (struct vif *)ifp->if_mcast) == NULL)
                        continue;

diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c
index 047af4e..80aa39b 100644 (file)
--- a/sys/netinet6/ip6_mroute.c
+++ b/sys/netinet6/ip6_mroute.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip6_mroute.c,v 1.126 2021/03/10 10:21:49 jsg Exp $    */
+/*     $OpenBSD: ip6_mroute.c,v 1.127 2021/12/15 17:21:08 deraadt Exp $        */
 /*     $NetBSD: ip6_mroute.c,v 1.59 2003/12/10 09:28:38 itojun Exp $   */
 /*     $KAME: ip6_mroute.c,v 1.45 2001/03/25 08:38:51 itojun Exp $     */
 
@@ -330,6 +330,7 @@ mrt6_sysctl_mif(void *oldp, size_t *oldlenp)
 
        given = *oldlenp;
        needed = 0;
+       memset(&minfo, 0, sizeof minfo);
        TAILQ_FOREACH(ifp, &ifnet, if_list) {
                if ((mifp = (struct mif6 *)ifp->if_mcast6) == NULL)
                        continue;