From c8915b1edf5f30c94370b39ef5a776c42cbfbf9a Mon Sep 17 00:00:00 2001 From: deraadt Date: Wed, 5 Apr 2017 13:35:18 +0000 Subject: [PATCH] When building counter memory in preparation to copy to userland, always zero the buffers first. All the current objects appear to be safe, however future changes might introduce structure pads. Discussed with guenther, ok bluhm --- sys/net/if_pfsync.c | 3 ++- sys/net/rtsock.c | 5 +++-- sys/netinet/igmp.c | 4 ++-- sys/netinet/ip_carp.c | 3 ++- sys/netinet/ip_divert.c | 4 ++-- sys/netinet/ip_icmp.c | 4 ++-- sys/netinet/ip_input.c | 4 ++-- sys/netinet/ip_ipip.c | 3 ++- sys/netinet/tcp_usrreq.c | 3 ++- sys/netinet/udp_usrreq.c | 4 ++-- sys/netinet6/icmp6.c | 4 ++-- 11 files changed, 23 insertions(+), 18 deletions(-) diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index aa53c5c8b05..80f3787e4a4 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.246 2017/03/11 13:21:16 stsp Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.247 2017/04/05 13:35:18 deraadt Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -2384,6 +2384,7 @@ pfsync_sysctl_pfsyncstat(void *oldp, size_t *oldlenp, void *newp) struct pfsyncstats pfsyncstat; CTASSERT(sizeof(pfsyncstat) == (pfsyncs_ncounters * sizeof(uint64_t))); + memset(&pfsyncstat, 0, sizeof pfsyncstat); counters_read(pfsynccounters, (uint64_t *)&pfsyncstat, pfsyncs_ncounters); return (sysctl_rdstruct(oldp, oldlenp, newp, diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 73814c16075..53778a5c06d 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtsock.c,v 1.235 2017/03/16 10:13:11 mpi Exp $ */ +/* $OpenBSD: rtsock.c,v 1.236 2017/04/05 13:35:18 deraadt Exp $ */ /* $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $ */ /* @@ -1642,6 +1642,7 @@ sysctl_rtable(int *name, u_int namelen, void *where, size_t *given, void *new, tableid = w.w_arg; if (!rtable_exists(tableid)) return (ENOENT); + memset(&tableinfo, 0, sizeof tableinfo); tableinfo.rti_tableid = tableid; tableinfo.rti_domainid = rtable_l2(tableid); error = sysctl_rdstruct(where, given, new, @@ -1673,7 +1674,7 @@ sysctl_rtable_rtstat(void *oldp, size_t *oldlenp, void *newp) int i; CTASSERT(sizeof(rtstat) == (nitems(counters) * sizeof(uint32_t))); - + memset(&rtstat, 0, sizeof rtstat); counters_read(rtcounters, counters, nitems(counters)); for (i = 0; i < nitems(counters); i++) diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c index d5c8415430c..5576f74252e 100644 --- a/sys/netinet/igmp.c +++ b/sys/netinet/igmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: igmp.c,v 1.64 2017/02/05 16:23:38 jca Exp $ */ +/* $OpenBSD: igmp.c,v 1.65 2017/04/05 13:35:18 deraadt Exp $ */ /* $NetBSD: igmp.c,v 1.15 1996/02/13 23:41:25 christos Exp $ */ /* @@ -707,7 +707,7 @@ igmp_sysctl_igmpstat(void *oldp, size_t *oldlenp, void *newp) int i; CTASSERT(sizeof(igmpstat) == (nitems(counters) * sizeof(u_long))); - + memset(&igmpstat, 0, sizeof igmpstat); counters_read(igmpcounters, counters, nitems(counters)); for (i = 0; i < nitems(counters); i++) diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c index e80f3c29f02..9944b4a5201 100644 --- a/sys/netinet/ip_carp.c +++ b/sys/netinet/ip_carp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_carp.c,v 1.304 2017/03/23 14:12:46 bluhm Exp $ */ +/* $OpenBSD: ip_carp.c,v 1.305 2017/04/05 13:35:18 deraadt Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff. All rights reserved. @@ -729,6 +729,7 @@ carp_sysctl_carpstat(void *oldp, size_t *oldlenp, void *newp) struct carpstats carpstat; CTASSERT(sizeof(carpstat) == (carps_ncounters * sizeof(uint64_t))); + memset(&carpstat, 0, sizeof carpstat); counters_read(carpcounters, (uint64_t *)&carpstat, carps_ncounters); return (sysctl_rdstruct(oldp, oldlenp, newp, &carpstat, sizeof(carpstat))); diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index ffa0b3b0e2c..1f95bd5d935 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_divert.c,v 1.45 2017/03/13 20:18:21 claudio Exp $ */ +/* $OpenBSD: ip_divert.c,v 1.46 2017/04/05 13:35:18 deraadt Exp $ */ /* * Copyright (c) 2009 Michele Marchetto @@ -344,7 +344,7 @@ divert_sysctl_divstat(void *oldp, size_t *oldlenp, void *newp) int i; CTASSERT(sizeof(divstat) == (nitems(counters) * sizeof(u_long))); - + memset(&divstat, 0, sizeof divstat); counters_read(divcounters, counters, nitems(counters)); for (i = 0; i < nitems(counters); i++) diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 59bca7146f7..6ec9772ce43 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.163 2017/02/07 22:30:16 jmatthew Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.164 2017/04/05 13:35:18 deraadt Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -929,7 +929,7 @@ icmp_sysctl_icmpstat(void *oldp, size_t *oldlenp, void *newp) int i; CTASSERT(sizeof(icmpstat) == (nitems(counters) * sizeof(u_long))); - + memset(&icmpstat, 0, sizeof icmpstat); counters_read(icmpcounters, counters, nitems(counters)); for (i = 0; i < nitems(counters); i++) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 3a5990bdd76..4a43563637d 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.295 2017/02/05 16:23:38 jca Exp $ */ +/* $OpenBSD: ip_input.c,v 1.296 2017/04/05 13:35:18 deraadt Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -1655,7 +1655,7 @@ ip_sysctl_ipstat(void *oldp, size_t *oldlenp, void *newp) int i; CTASSERT(sizeof(ipstat) == (nitems(counters) * sizeof(u_long))); - + memset(&ipstat, 0, sizeof ipstat); counters_read(ipcounters, counters, nitems(counters)); for (i = 0; i < nitems(counters); i++) diff --git a/sys/netinet/ip_ipip.c b/sys/netinet/ip_ipip.c index 632a80adc7e..7a47b18773d 100644 --- a/sys/netinet/ip_ipip.c +++ b/sys/netinet/ip_ipip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipip.c,v 1.72 2017/03/10 07:29:25 jca Exp $ */ +/* $OpenBSD: ip_ipip.c,v 1.73 2017/04/05 13:35:18 deraadt Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -603,6 +603,7 @@ ipip_sysctl_ipipstat(void *oldp, size_t *oldlenp, void *newp) struct ipipstat ipipstat; CTASSERT(sizeof(ipipstat) == (ipips_ncounters * sizeof(uint64_t))); + memset(&ipipstat, 0, sizeof ipipstat); counters_read(ipipcounters, (uint64_t *)&ipipstat, ipips_ncounters); return (sysctl_rdstruct(oldp, oldlenp, newp, &ipipstat, sizeof(ipipstat))); diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 272f4ebcd4a..ba38eb76eae 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_usrreq.c,v 1.146 2017/04/02 12:56:39 jca Exp $ */ +/* $OpenBSD: tcp_usrreq.c,v 1.147 2017/04/05 13:35:18 deraadt Exp $ */ /* $NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $ */ /* @@ -833,6 +833,7 @@ tcp_sysctl_tcpstat(void *oldp, size_t *oldlenp, void *newp) #define ASSIGN(field) do { tcpstat.field = counters[i++]; } while (0) + memset(&tcpstat, 0, sizeof tcpstat); counters_read(tcpcounters, counters, nitems(counters)); ASSIGN(tcps_connattempt); ASSIGN(tcps_accepts); diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 4bf87700c17..be8f3ca6ef9 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.232 2017/03/13 20:18:21 claudio Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.233 2017/04/05 13:35:18 deraadt Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -1357,7 +1357,7 @@ udp_sysctl_udpstat(void *oldp, size_t *oldlenp, void *newp) int i; CTASSERT(sizeof(udpstat) == (nitems(counters) * sizeof(u_long))); - + memset(&udpstat, 0, sizeof udpstat); counters_read(udpcounters, counters, nitems(counters)); for (i = 0; i < nitems(counters); i++) diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 88bb835df54..215d953bf21 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.203 2017/03/03 13:19:40 bluhm Exp $ */ +/* $OpenBSD: icmp6.c,v 1.204 2017/04/05 13:35:18 deraadt Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -1997,7 +1997,7 @@ icmp6_sysctl_icmp6stat(void *oldp, size_t *oldlenp, void *newp) int ret; CTASSERT(sizeof(*icmp6stat) == icp6s_ncounters * sizeof(uint64_t)); - icmp6stat = malloc(sizeof(*icmp6stat), M_TEMP, M_WAITOK); + icmp6stat = malloc(sizeof(*icmp6stat), M_TEMP, M_WAITOK|M_ZERO); counters_read(icmp6counters, (uint64_t *)icmp6stat, icp6s_ncounters); ret = sysctl_rdstruct(oldp, oldlenp, newp, icmp6stat, sizeof(*icmp6stat)); -- 2.20.1