From 1823cafe65caf80f9a4cb5fb7a691e021b9f1232 Mon Sep 17 00:00:00 2001 From: deraadt Date: Wed, 15 Dec 2021 17:21:08 +0000 Subject: [PATCH] structure pads can leak uninitialized memory to userland via copyout, therefore the mandatory idiom is completely clearing structs before building them for copyout -- that means ALMOST ALL STRUCTS, because we never know when some architecture will pad a struct.. In two more cases, the clearing wasn't performed. from Reno Robert ZDI ok millert bluhm --- sys/netinet/ip_mroute.c | 3 ++- sys/netinet6/ip6_mroute.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c index 3cefb2a2596..d6024e2a3c1 100644 --- a/sys/netinet/ip_mroute.c +++ b/sys/netinet/ip_mroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_mroute.c,v 1.130 2020/05/27 11:19:29 mpi Exp $ */ +/* $OpenBSD: ip_mroute.c,v 1.131 2021/12/15 17:21:08 deraadt Exp $ */ /* $NetBSD: ip_mroute.c,v 1.85 2004/04/26 01:31:57 matt Exp $ */ /* @@ -353,6 +353,7 @@ mrt_sysctl_vif(void *oldp, size_t *oldlenp) given = *oldlenp; needed = 0; + memset(&vinfo, 0, sizeof vinfo); TAILQ_FOREACH(ifp, &ifnet, if_list) { if ((vifp = (struct vif *)ifp->if_mcast) == NULL) continue; diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c index 047af4ef390..80aa39b523a 100644 --- a/sys/netinet6/ip6_mroute.c +++ b/sys/netinet6/ip6_mroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_mroute.c,v 1.126 2021/03/10 10:21:49 jsg Exp $ */ +/* $OpenBSD: ip6_mroute.c,v 1.127 2021/12/15 17:21:08 deraadt Exp $ */ /* $NetBSD: ip6_mroute.c,v 1.59 2003/12/10 09:28:38 itojun Exp $ */ /* $KAME: ip6_mroute.c,v 1.45 2001/03/25 08:38:51 itojun Exp $ */ @@ -330,6 +330,7 @@ mrt6_sysctl_mif(void *oldp, size_t *oldlenp) given = *oldlenp; needed = 0; + memset(&minfo, 0, sizeof minfo); TAILQ_FOREACH(ifp, &ifnet, if_list) { if ((mifp = (struct mif6 *)ifp->if_mcast6) == NULL) continue; -- 2.20.1