Add SA-14:17.kmem and EN-14:09.jail.

This commit is contained in:
Xin LI 2014-07-08 22:23:25 +00:00
parent 85345b9d9e
commit d126e9c52b
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=45230
12 changed files with 1187 additions and 0 deletions

View file

@ -0,0 +1,121 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:09.jail Errata Notice
The FreeBSD Project
Topic: Jail fails to start if WITHOUT_INET/WITHOUT_INET6 is used
Category: core
Module: jail
Announced: 2014-07-08
Credits: Eugene Grosbein, Chris Rees
Affects: FreeBSD 8.4
Corrected: 2014-07-02 19:18:59 UTC (stable/8, 8.4-STABLE)
2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The jail(8) utility creates new jails, or modifies or removes existing
jails.
II. Problem Description
The jail(8) rc(8) script used to start jails on the system does not
properly detect if an address protocol is in use on the system.
III. Impact
When the FreeBSD kernel and userland are built either without IPv4 or IPv6
support by defining WITHOUT_INET or WITHOUT_INET6 in src.conf(5), the jail(8)
will fail to start with an non-descriptive error.
IV. Workaround
No workaround is available, however systems that do not define WITHOUT_INET
or WITHOUT_INET6 are not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-14:09/jail.patch
# fetch http://security.FreeBSD.org/patches/EN-14:09/jail.patch.asc
# gpg --verify jail.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r268168
releng/8.4/ r268435
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:09.jail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJTvG0oAAoJEO1n7NZdz2rnEeUP+gJuYN0VoSbT+0zPJH9u61/K
gJma3dUY4zuKDRyLhYNTCM+fKIwCZ07+9lesAeDm8mXts0UGGvjSHVqxXlG1hiGi
2W8AxNzvV0FQuE6awlz8dDE2ikATkae7VPBoLraq0a7CEH4kW/mnl4+xQ3I2Hgc+
wTmF+R13mb905xbF+52aj1jDUus8+ZFuDY0VRV3IY34i9OxcnoQO+T8v1w6d9ly3
KbHmZXd2LPS0yeITAWuk4p1gwl8vi7uz7IiJcxrw/YEOUC6LkHO5/JUPRDz1O5Dd
snRmFFF5w77u5bYWpHHU6kw4/k0GwuS1jfQnQm1ag/Gl8A1O4BA4ixvItOrU/FiT
KxoOsdrMgD9jvIyHKOGPyio+FQuRdn+TsyE7WDw/MO2sZ3Et8nG49PccSbFQxuWu
IFXoK+1gI1Vst5YlMUwbCwQRCuBawaUVhfWqF5jIeVvW2uPRr6S1rIJOyGy/HlKO
HwdEtBbDcukWYojjG3pcORdv/HaQkN47NrJrJ6bWldJCshhSwPJ1ivyKLL16hjf2
H/Tk+IHfVULjxgMEY7wQ3fL6kkgMHbrfxhBSy6LVYJggzvV+hgJXNY0116gUuAhA
5UTKFfEHyXDtlgsTHSyETiHw3qXQ6JmyNUPepuAcf1Ly/yTvlFPhM56R52ZjBLRs
rQOf3Vdelgpnpo4olu7L
=4r/Q
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,170 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:17.kmem Security Advisory
The FreeBSD Project
Topic: Kernel memory disclosure in control messages and SCTP
notifications
Category: core
Module: kern, sctp
Announced: 2014-07-08
Credits: Michael Tuexen
Affects: All supported versions of FreeBSD.
Corrected: 2014-07-08 21:54:50 UTC (stable/10, 10.0-STABLE)
2014-07-08 21:55:27 UTC (releng/10.0, 10.0-RELEASE-p7)
2014-07-08 21:54:50 UTC (stable/9, 9.3-PRERELEASE)
2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC3-p1)
2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC2-p1)
2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC1-p2)
2014-07-08 21:55:27 UTC (releng/9.3, 9.3-BETA3-p2)
2014-07-08 21:55:27 UTC (releng/9.2, 9.2-RELEASE-p10)
2014-07-08 21:55:27 UTC (releng/9.1, 9.1-RELEASE-p17)
2014-07-08 21:54:50 UTC (stable/8, 8.4-STABLE)
2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14)
CVE Name: CVE-2014-3952, CVE-2014-3953
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The control message API is used to construct ancillary data objects for
use in control messages sent and received across sockets and passed via
the recvmsg(2) and sendmsg(2) system calls.
II. Problem Description
Buffer between control message header and data may not be completely
initialized before being copied to userland. [CVE-2014-3952]
Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit
padding that may not be completely initialized before being copied to
userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE,
SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the
returning data structure that may not be completely initialized before
being copied to userland. [CVE-2014-3953]
III. Impact
An unprivileged local process may be able to retrieve portion of kernel
memory.
For the generic control message, the process may be able to retrieve a
maximum of 4 bytes of kernel memory.
For SCTP, the process may be able to retrieve 2 bytes of kernel memory
for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76
bytes for SCTP_EXTRCV. If the local process is permitted to receive
SCTP notification, a maximum of 112 bytes of kernel memory may be
returned to userland.
This information might be directly useful, or it might be leveraged to
obtain elevated privileges in some way. For example, a terminal buffer
might include a user-entered password.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.0]
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch.asc
# gpg --verify kmem.patch.asc
[FreeBSD 8.4, 9.2 and 9.3-RC]
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch.asc
# gpg --verify kmem.patch.asc
[FreeBSD 9.2]
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch.asc
# gpg --verify kmem.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r268432
releng/8.4/ r268435
stable/9/ r268432
releng/9.1/ r268434
releng/9.2/ r268434
releng/9.3/ r268433
stable/10/ r268432
releng/10.0/ r268434
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3952>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3953>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:17.kmem.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJTvG0nAAoJEO1n7NZdz2rn9w0QANVDZ/92sbXjrREbn/qDto75
opjg7cJUne0tAkeqoCxYNiCT0yxI4M37N41Hvq1ZbA0HFgodjb5s6pXTZ4baB4PH
CKxMvk8NB8PAw3+JfG9Ec8e4MaUd0Md04yNx/Ej1zdDz75rhHcqGiK2Agm086RSV
K7TyzZXr1QrjJCSltM5dcXHacMgIZ7OxxY/e4DrI7tsEQk50wmlSKcZZI0GC8o+p
DzhcMP+7qN9wNcZaXNNlLxLlthjlwudnGuFwg4DzkUCjCu2ooyerOref4UDWXmN8
bky3U9wx5PnM/LmocWAPYCgA58WckbPooiWEWGWJJeogbVi6+vVNOe1516vAeTep
MyGLpdP6v2tSo6XI33yd2YrxDMGOdFN1+ZfeDvFyBk9JFEfMhKHio84967hQRQN6
pz1+0Ga119akQZKnBs3z9YhPze26sJB+tgTdIUJnunVysdslKI2EYcJ1R+UNIoDB
h5XClPqAWyupfohp2TD8vM5RT+x6CaeW4P08KRpg8PTmqHi7CNB5wgFASG2uC/BT
3qZDebjE7CMCQ35wEWBwVHt8SK0MwaIb9u4A+Fxf/plNDwqKqtQ7LdhI/fabJl5T
IP3RbQLdiGyRAtOwcgXbmIGd2k3E9TNCQa5AdiUjiE5zGcRUs3iywVtyvellnVpI
yAc2ussNLU5vJef4t30X
=u6Xe
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,15 @@
Index: etc/rc.d/jail
===================================================================
--- etc/rc.d/jail (revision 268273)
+++ etc/rc.d/jail (working copy)
@@ -647,7 +647,9 @@ jail_start()
done
eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \
- ip4.addr=\"${_addrl}\" ip6.addr=\"${_addr6l}\" ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1
+ ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \
+ ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \
+ </dev/null
if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTvG16AAoJEO1n7NZdz2rnZnQP/iLTnaxVHY4lxecPfSJZnMiD
l5X1mtnnpleRFOCztOQBM5qLRXxp14V3tE62vBUx5e4go3qYqVC/u+sWgvcC7sBG
aBT3cRVyTnygoXK6B7Av6hEhG9A+RBy1PmKEW/0iIKxD2oixNPtDv6u0AEEv+ipb
WAtjzngeTtrMYskWZNxC8FT+NTTUQTkeU9Rqjh+JKsS8sqpzm1gHWtbp5wKJPeLt
Rt4IULzqNoBmB9BRGYA7scFkXCUC+B1MQLUxN0p9KjNrp1REObOGfb8aTHoAuA0O
Wk6kQeF+heqxt+TRTZp3obOYHINbVfBnPGMWty4hD8JHHFDytdA6LLalILTml3Ia
iBaxWP/sk+4ziWkKtdlyc4VYSGzQNR+9/TIaBz0SuuMOdd21DWjaGtqIY/jfzUpA
CnAAwJJj2ejIqOtR20aSOlCn/DVx7qyXr+R6YyUWjqlhzIsdrxBFsajIuT8DB+U5
BSDIAxPa5esaMQhbrtoZyb8Fto0P50vMwrfjv9wuoo2Nvz+vU3ABhaPIHzTBomxl
hepAZIGSI4UzZwk0Kj1z9I+e5EDOlFVvxhO6KYpJeulBRM+bMSILXzWH08PMoctz
MhGkkyc8svpTZB9jYxzmcWikdbRknTo3k/I2hVF8pa/sOSbXBL3/HebVuycmvL5y
2d+RwPgvW/C73wgUiFe7
=rl/o
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,263 @@
Index: sys/kern/uipc_sockbuf.c
===================================================================
--- sys/kern/uipc_sockbuf.c (revision 268273)
+++ sys/kern/uipc_sockbuf.c (working copy)
@@ -1045,6 +1045,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
m->m_len = 0;
KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
("sbcreatecontrol: short mbuf"));
+ /*
+ * Don't leave the padding between the msg header and the
+ * cmsg data and the padding after the cmsg data un-initialized.
+ */
+ bzero(cp, CMSG_SPACE((u_int)size));
if (p != NULL)
(void)memcpy(CMSG_DATA(cp), p, size);
m->m_len = CMSG_SPACE(size);
Index: sys/netinet/sctp_auth.c
===================================================================
--- sys/netinet/sctp_auth.c (revision 268273)
+++ sys/netinet/sctp_auth.c (working copy)
@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
SCTP_BUF_LEN(m_notify) = 0;
auth = mtod(m_notify, struct sctp_authkey_event *);
+ memset(auth, 0, sizeof(struct sctp_authkey_event));
auth->auth_type = SCTP_AUTHENTICATION_EVENT;
auth->auth_flags = 0;
auth->auth_length = sizeof(*auth);
Index: sys/netinet/sctp_indata.c
===================================================================
--- sys/netinet/sctp_indata.c (revision 268273)
+++ sys/netinet/sctp_indata.c (working copy)
@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
/* We need a CMSG header followed by the struct */
cmh = mtod(ret, struct cmsghdr *);
+ /*
+ * Make sure that there is no un-initialized padding between the
+ * cmsg header and cmsg data and after the cmsg data.
+ */
+ memset(cmh, 0, len);
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
cmh->cmsg_level = IPPROTO_SCTP;
cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
Index: sys/netinet/sctputil.c
===================================================================
--- sys/netinet/sctputil.c (revision 268273)
+++ sys/netinet/sctputil.c (working copy)
@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
}
SCTP_BUF_NEXT(m_notify) = NULL;
sac = mtod(m_notify, struct sctp_assoc_change *);
+ memset(sac, 0, notif_len);
sac->sac_type = SCTP_ASSOC_CHANGE;
sac->sac_flags = 0;
sac->sac_length = sizeof(struct sctp_assoc_change);
@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
if (m_notify == NULL)
/* no space left */
return;
- length += chk->send_size;
- length -= sizeof(struct sctp_data_chunk);
SCTP_BUF_LEN(m_notify) = 0;
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
+ memset(ssfe, 0, length);
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
if (sent) {
ssfe->ssfe_flags = SCTP_DATA_SENT;
@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
} else {
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
}
+ length += chk->send_size;
+ length -= sizeof(struct sctp_data_chunk);
ssfe->ssfe_length = length;
ssfe->ssfe_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
} else {
ssf = mtod(m_notify, struct sctp_send_failed *);
+ memset(ssf, 0, length);
ssf->ssf_type = SCTP_SEND_FAILED;
if (sent) {
ssf->ssf_flags = SCTP_DATA_SENT;
@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
} else {
ssf->ssf_flags = SCTP_DATA_UNSENT;
}
+ length += chk->send_size;
+ length -= sizeof(struct sctp_data_chunk);
ssf->ssf_length = length;
ssf->ssf_error = error;
/* not exactly what the user sent in, but should be close :) */
@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
/* no space left */
return;
}
- length += sp->length;
SCTP_BUF_LEN(m_notify) = 0;
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
+ memset(ssfe, 0, length);
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ length += sp->length;
ssfe->ssfe_length = length;
ssfe->ssfe_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
ssfe->ssfe_info.snd_sid = sp->stream;
if (sp->some_taken) {
ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
} else {
ssf = mtod(m_notify, struct sctp_send_failed *);
+ memset(ssf, 0, length);
ssf->ssf_type = SCTP_SEND_FAILED;
ssf->ssf_flags = SCTP_DATA_UNSENT;
+ length += sp->length;
ssf->ssf_length = length;
ssf->ssf_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
ssf->ssf_info.sinfo_stream = sp->stream;
ssf->ssf_info.sinfo_ssn = 0;
if (sp->some_taken) {
@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
return;
SCTP_BUF_LEN(m_notify) = 0;
sai = mtod(m_notify, struct sctp_adaptation_event *);
+ memset(sai, 0, sizeof(struct sctp_adaptation_event));
sai->sai_type = SCTP_ADAPTATION_INDICATION;
sai->sai_flags = 0;
sai->sai_length = sizeof(struct sctp_adaptation_event);
@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
return;
SCTP_BUF_LEN(m_notify) = 0;
pdapi = mtod(m_notify, struct sctp_pdapi_event *);
+ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
pdapi->pdapi_flags = 0;
pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
/* no space left */
return;
sse = mtod(m_notify, struct sctp_shutdown_event *);
+ memset(sse, 0, sizeof(struct sctp_shutdown_event));
sse->sse_type = SCTP_SHUTDOWN_EVENT;
sse->sse_flags = 0;
sse->sse_length = sizeof(struct sctp_shutdown_event);
@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
}
SCTP_BUF_LEN(m_notify) = 0;
event = mtod(m_notify, struct sctp_sender_dry_event *);
+ memset(event, 0, sizeof(struct sctp_sender_dry_event));
event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
event->sender_dry_flags = 0;
event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
struct mbuf *m_notify;
struct sctp_queued_to_read *control;
struct sctp_stream_change_event *stradd;
- int len;
if ((stcb == NULL) ||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
return;
}
stcb->asoc.peer_req_out = 0;
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
if (m_notify == NULL)
/* no space left */
return;
SCTP_BUF_LEN(m_notify) = 0;
- len = sizeof(struct sctp_stream_change_event);
- if (len > M_TRAILINGSPACE(m_notify)) {
- /* never enough room */
- sctp_m_freem(m_notify);
- return;
- }
stradd = mtod(m_notify, struct sctp_stream_change_event *);
+ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
stradd->strchange_flags = flag;
- stradd->strchange_length = len;
+ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
stradd->strchange_assoc_id = sctp_get_associd(stcb);
stradd->strchange_instrms = numberin;
stradd->strchange_outstrms = numberout;
- SCTP_BUF_LEN(m_notify) = len;
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
SCTP_BUF_NEXT(m_notify) = NULL;
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
/* no space */
@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
struct mbuf *m_notify;
struct sctp_queued_to_read *control;
struct sctp_assoc_reset_event *strasoc;
- int len;
if ((stcb == NULL) ||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
/* event not enabled */
return;
}
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA);
if (m_notify == NULL)
/* no space left */
return;
SCTP_BUF_LEN(m_notify) = 0;
- len = sizeof(struct sctp_assoc_reset_event);
- if (len > M_TRAILINGSPACE(m_notify)) {
- /* never enough room */
- sctp_m_freem(m_notify);
- return;
- }
strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
+ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
strasoc->assocreset_flags = flag;
- strasoc->assocreset_length = len;
+ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
strasoc->assocreset_local_tsn = sending_tsn;
strasoc->assocreset_remote_tsn = recv_tsn;
- SCTP_BUF_LEN(m_notify) = len;
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
SCTP_BUF_NEXT(m_notify) = NULL;
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
/* no space */
@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
return;
}
strreset = mtod(m_notify, struct sctp_stream_reset_event *);
+ memset(strreset, 0, len);
strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
strreset->strreset_flags = flag;
strreset->strreset_length = len;
@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so,
fromlen = 0;
}
+ if (filling_sinfo) {
+ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
+ }
error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
(struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
- if ((controlp) && (filling_sinfo)) {
+ if (controlp != NULL) {
/* copy back the sinfo in a CMSG format */
if (filling_sinfo)
*controlp = sctp_build_ctl_nchunk(inp,

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnxSAQAMOj+4y12nfK7TJZZV6Knr2O
Cxgee7T0CV6j7+pdSoN0KNsat6Yl9+s5tM3Akr2kkvSoviZQcXlQopJmZhjyiT3u
/RHankNfsRdZDoXzgHMkD2922eQbwz0O5MOeV+dysQCfYNW31890nCviVTr5a5SH
0C20+ka1nelBPaea4RNgyKBUEs3PAzfTz5yDRzRLFhl/8EqV/Pcom62IyEFe9TB9
IxPk+DT3tpynWA2XioQFc3vLYz0NxBSCdsWnk9klWvmkLwJUkGGcUztWokU675ez
4bvb018YPOaqikePymMzUluLpZZH8P0Om2hnKnZP2aqOjj9IaOlNzSkY9OPqoaSN
7t29mWZ+x3e8D56c3TMfviFjTVwJjE9OH9aomoZGrxIt1W5cCKwgAJJfpXtin+bR
/nzYtomRDWxKLjfSDV2nC8N4dqh4qz7HRFSmLgXhL7LYpNtMZURZnrNke92OCZMe
hjeGFk3V9tATYeCxAZaDEe/xgW5Ir/cCWaxQUabEldc8AdHT7vumaQ9UvND8SSBp
52BPWMRFPdDtDbL61ESjrBwjFgWIeiNDbSW3VW5qTPqIxF66GcWcZf8PJE8kdYTX
0vrMsjsusu6LFc8FTwzE1O8sbPGkSdqe2GPXU2PZu8+FGkHKgz4qR/bLewG/nqwQ
3zOlJ1MrVW2nyKQK+Bik
=VGnU
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,263 @@
Index: sys/kern/uipc_sockbuf.c
===================================================================
--- sys/kern/uipc_sockbuf.c (revision 268273)
+++ sys/kern/uipc_sockbuf.c (working copy)
@@ -1011,6 +1011,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
m->m_len = 0;
KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
("sbcreatecontrol: short mbuf"));
+ /*
+ * Don't leave the padding between the msg header and the
+ * cmsg data and the padding after the cmsg data un-initialized.
+ */
+ bzero(cp, CMSG_SPACE((u_int)size));
if (p != NULL)
(void)memcpy(CMSG_DATA(cp), p, size);
m->m_len = CMSG_SPACE(size);
Index: sys/netinet/sctp_auth.c
===================================================================
--- sys/netinet/sctp_auth.c (revision 268273)
+++ sys/netinet/sctp_auth.c (working copy)
@@ -1876,6 +1876,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
SCTP_BUF_LEN(m_notify) = 0;
auth = mtod(m_notify, struct sctp_authkey_event *);
+ memset(auth, 0, sizeof(struct sctp_authkey_event));
auth->auth_type = SCTP_AUTHENTICATION_EVENT;
auth->auth_flags = 0;
auth->auth_length = sizeof(*auth);
Index: sys/netinet/sctp_indata.c
===================================================================
--- sys/netinet/sctp_indata.c (revision 268273)
+++ sys/netinet/sctp_indata.c (working copy)
@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
/* We need a CMSG header followed by the struct */
cmh = mtod(ret, struct cmsghdr *);
+ /*
+ * Make sure that there is no un-initialized padding between the
+ * cmsg header and cmsg data and after the cmsg data.
+ */
+ memset(cmh, 0, len);
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
cmh->cmsg_level = IPPROTO_SCTP;
cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
Index: sys/netinet/sctputil.c
===================================================================
--- sys/netinet/sctputil.c (revision 268273)
+++ sys/netinet/sctputil.c (working copy)
@@ -2628,6 +2628,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
}
SCTP_BUF_NEXT(m_notify) = NULL;
sac = mtod(m_notify, struct sctp_assoc_change *);
+ memset(sac, 0, notif_len);
sac->sac_type = SCTP_ASSOC_CHANGE;
sac->sac_flags = 0;
sac->sac_length = sizeof(struct sctp_assoc_change);
@@ -2834,11 +2835,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
if (m_notify == NULL)
/* no space left */
return;
- length += chk->send_size;
- length -= sizeof(struct sctp_data_chunk);
SCTP_BUF_LEN(m_notify) = 0;
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
+ memset(ssfe, 0, length);
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
if (sent) {
ssfe->ssfe_flags = SCTP_DATA_SENT;
@@ -2845,10 +2845,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
} else {
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
}
+ length += chk->send_size;
+ length -= sizeof(struct sctp_data_chunk);
ssfe->ssfe_length = length;
ssfe->ssfe_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
@@ -2858,6 +2859,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
} else {
ssf = mtod(m_notify, struct sctp_send_failed *);
+ memset(ssf, 0, length);
ssf->ssf_type = SCTP_SEND_FAILED;
if (sent) {
ssf->ssf_flags = SCTP_DATA_SENT;
@@ -2864,6 +2866,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
} else {
ssf->ssf_flags = SCTP_DATA_UNSENT;
}
+ length += chk->send_size;
+ length -= sizeof(struct sctp_data_chunk);
ssf->ssf_length = length;
ssf->ssf_error = error;
/* not exactly what the user sent in, but should be close :) */
@@ -2947,16 +2951,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
/* no space left */
return;
}
- length += sp->length;
SCTP_BUF_LEN(m_notify) = 0;
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
+ memset(ssfe, 0, length);
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ length += sp->length;
ssfe->ssfe_length = length;
ssfe->ssfe_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
ssfe->ssfe_info.snd_sid = sp->stream;
if (sp->some_taken) {
ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
@@ -2970,12 +2974,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
} else {
ssf = mtod(m_notify, struct sctp_send_failed *);
+ memset(ssf, 0, length);
ssf->ssf_type = SCTP_SEND_FAILED;
ssf->ssf_flags = SCTP_DATA_UNSENT;
+ length += sp->length;
ssf->ssf_length = length;
ssf->ssf_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
ssf->ssf_info.sinfo_stream = sp->stream;
ssf->ssf_info.sinfo_ssn = sp->strseq;
if (sp->some_taken) {
@@ -3037,6 +3042,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
return;
SCTP_BUF_LEN(m_notify) = 0;
sai = mtod(m_notify, struct sctp_adaptation_event *);
+ memset(sai, 0, sizeof(struct sctp_adaptation_event));
sai->sai_type = SCTP_ADAPTATION_INDICATION;
sai->sai_flags = 0;
sai->sai_length = sizeof(struct sctp_adaptation_event);
@@ -3092,6 +3098,7 @@ sctp_notify_partial_delivery_indication(struct sct
return;
SCTP_BUF_LEN(m_notify) = 0;
pdapi = mtod(m_notify, struct sctp_pdapi_event *);
+ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
pdapi->pdapi_flags = 0;
pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
@@ -3201,6 +3208,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
/* no space left */
return;
sse = mtod(m_notify, struct sctp_shutdown_event *);
+ memset(sse, 0, sizeof(struct sctp_shutdown_event));
sse->sse_type = SCTP_SHUTDOWN_EVENT;
sse->sse_flags = 0;
sse->sse_length = sizeof(struct sctp_shutdown_event);
@@ -3251,6 +3259,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
}
SCTP_BUF_LEN(m_notify) = 0;
event = mtod(m_notify, struct sctp_sender_dry_event *);
+ memset(event, 0, sizeof(struct sctp_sender_dry_event));
event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
event->sender_dry_flags = 0;
event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
@@ -3283,7 +3292,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
struct mbuf *m_notify;
struct sctp_queued_to_read *control;
struct sctp_stream_change_event *stradd;
- int len;
if ((stcb == NULL) ||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
@@ -3296,25 +3304,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
return;
}
stcb->asoc.peer_req_out = 0;
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
if (m_notify == NULL)
/* no space left */
return;
SCTP_BUF_LEN(m_notify) = 0;
- len = sizeof(struct sctp_stream_change_event);
- if (len > M_TRAILINGSPACE(m_notify)) {
- /* never enough room */
- sctp_m_freem(m_notify);
- return;
- }
stradd = mtod(m_notify, struct sctp_stream_change_event *);
+ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
stradd->strchange_flags = flag;
- stradd->strchange_length = len;
+ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
stradd->strchange_assoc_id = sctp_get_associd(stcb);
stradd->strchange_instrms = numberin;
stradd->strchange_outstrms = numberout;
- SCTP_BUF_LEN(m_notify) = len;
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
SCTP_BUF_NEXT(m_notify) = NULL;
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
/* no space */
@@ -3345,7 +3348,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
struct mbuf *m_notify;
struct sctp_queued_to_read *control;
struct sctp_assoc_reset_event *strasoc;
- int len;
if ((stcb == NULL) ||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
@@ -3352,25 +3354,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
/* event not enabled */
return;
}
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA);
if (m_notify == NULL)
/* no space left */
return;
SCTP_BUF_LEN(m_notify) = 0;
- len = sizeof(struct sctp_assoc_reset_event);
- if (len > M_TRAILINGSPACE(m_notify)) {
- /* never enough room */
- sctp_m_freem(m_notify);
- return;
- }
strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
+ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
strasoc->assocreset_flags = flag;
- strasoc->assocreset_length = len;
+ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
strasoc->assocreset_local_tsn = sending_tsn;
strasoc->assocreset_remote_tsn = recv_tsn;
- SCTP_BUF_LEN(m_notify) = len;
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
SCTP_BUF_NEXT(m_notify) = NULL;
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
/* no space */
@@ -3423,6 +3420,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
return;
}
strreset = mtod(m_notify, struct sctp_stream_reset_event *);
+ memset(strreset, 0, len);
strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
strreset->strreset_flags = flag;
strreset->strreset_length = len;
@@ -6261,9 +6259,12 @@ sctp_soreceive(struct socket *so,
fromlen = 0;
}
+ if (filling_sinfo) {
+ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
+ }
error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
(struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
- if ((controlp) && (filling_sinfo)) {
+ if (controlp != NULL) {
/* copy back the sinfo in a CMSG format */
if (filling_sinfo)
*controlp = sctp_build_ctl_nchunk(inp,

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnfuYQAMucmTFZ6DMXAfniAzJK7YBj
QmPeCMS31bJePyXLQY7wyeo+xK0uV0cyhNL8Oy6OF9bziJxkkxNhT8FqPbYnD4E7
aGT+SGhGeKWGILBbDIGD+XDMy2S3SjHUIUdVB0T95O7D0IrQqQUoVwZjDvrxRrdP
mXIvWePatyAYpwukYwVDtB2hj3vxZRuW90HGdRpEeWO/W/3Fm91Lxbgw95J/2IQl
wpTteCGAIa74ez4nYGlEIvWmw0x8eiFty6tDAoDkVYuGH9wzQek5X+Ih3MVbYPR3
prciyU9OFoAI/asm3T04Kq50nO7tVSZrLVw+x776BkziZJ2rofib4qeQBS/0vc6m
jcuyY0zbZAb2Tl9aoKmdAYFIsWxhVNr6/NjaZbxDdirs8aV4sIw+xBTo+C6aP9eS
vX30K3Fuycl3hJ9g+Idvw21kpvApbArQztiPk/DwJMoyfSQvDCiX1mS3QX3FXjZN
P/PIvEd19T5ODde4Ae2eCQk8dxNKqvE/X5F48K0dZT3blAgYhEJW02ydz11M+1Z/
q5Iu+LRnAsSk0yD1WjfkKIDHIQTaqsGGKsCUIfrImT09k/qJt8Wn/r7DRX5GVvX5
rSU0941KQhYc5ffYgiLG0xQcRDKqZKlIWJtUth1rpXbQhO8uZya1O7xlaOCn1aXn
Cc+B5t8Y12ohipRNTvoC
=vpdj
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,263 @@
Index: sys/kern/uipc_sockbuf.c
===================================================================
--- sys/kern/uipc_sockbuf.c (revision 268273)
+++ sys/kern/uipc_sockbuf.c (working copy)
@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
m->m_len = 0;
KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
("sbcreatecontrol: short mbuf"));
+ /*
+ * Don't leave the padding between the msg header and the
+ * cmsg data and the padding after the cmsg data un-initialized.
+ */
+ bzero(cp, CMSG_SPACE((u_int)size));
if (p != NULL)
(void)memcpy(CMSG_DATA(cp), p, size);
m->m_len = CMSG_SPACE(size);
Index: sys/netinet/sctp_auth.c
===================================================================
--- sys/netinet/sctp_auth.c (revision 268273)
+++ sys/netinet/sctp_auth.c (working copy)
@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
SCTP_BUF_LEN(m_notify) = 0;
auth = mtod(m_notify, struct sctp_authkey_event *);
+ memset(auth, 0, sizeof(struct sctp_authkey_event));
auth->auth_type = SCTP_AUTHENTICATION_EVENT;
auth->auth_flags = 0;
auth->auth_length = sizeof(*auth);
Index: sys/netinet/sctp_indata.c
===================================================================
--- sys/netinet/sctp_indata.c (revision 268273)
+++ sys/netinet/sctp_indata.c (working copy)
@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
/* We need a CMSG header followed by the struct */
cmh = mtod(ret, struct cmsghdr *);
+ /*
+ * Make sure that there is no un-initialized padding between the
+ * cmsg header and cmsg data and after the cmsg data.
+ */
+ memset(cmh, 0, len);
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
cmh->cmsg_level = IPPROTO_SCTP;
cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
Index: sys/netinet/sctputil.c
===================================================================
--- sys/netinet/sctputil.c (revision 268273)
+++ sys/netinet/sctputil.c (working copy)
@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
}
SCTP_BUF_NEXT(m_notify) = NULL;
sac = mtod(m_notify, struct sctp_assoc_change *);
+ memset(sac, 0, notif_len);
sac->sac_type = SCTP_ASSOC_CHANGE;
sac->sac_flags = 0;
sac->sac_length = sizeof(struct sctp_assoc_change);
@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
if (m_notify == NULL)
/* no space left */
return;
- length += chk->send_size;
- length -= sizeof(struct sctp_data_chunk);
SCTP_BUF_LEN(m_notify) = 0;
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
+ memset(ssfe, 0, length);
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
if (sent) {
ssfe->ssfe_flags = SCTP_DATA_SENT;
@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
} else {
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
}
+ length += chk->send_size;
+ length -= sizeof(struct sctp_data_chunk);
ssfe->ssfe_length = length;
ssfe->ssfe_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
} else {
ssf = mtod(m_notify, struct sctp_send_failed *);
+ memset(ssf, 0, length);
ssf->ssf_type = SCTP_SEND_FAILED;
if (sent) {
ssf->ssf_flags = SCTP_DATA_SENT;
@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
} else {
ssf->ssf_flags = SCTP_DATA_UNSENT;
}
+ length += chk->send_size;
+ length -= sizeof(struct sctp_data_chunk);
ssf->ssf_length = length;
ssf->ssf_error = error;
/* not exactly what the user sent in, but should be close :) */
@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
/* no space left */
return;
}
- length += sp->length;
SCTP_BUF_LEN(m_notify) = 0;
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
+ memset(ssfe, 0, length);
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ length += sp->length;
ssfe->ssfe_length = length;
ssfe->ssfe_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
ssfe->ssfe_info.snd_sid = sp->stream;
if (sp->some_taken) {
ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
} else {
ssf = mtod(m_notify, struct sctp_send_failed *);
+ memset(ssf, 0, length);
ssf->ssf_type = SCTP_SEND_FAILED;
ssf->ssf_flags = SCTP_DATA_UNSENT;
+ length += sp->length;
ssf->ssf_length = length;
ssf->ssf_error = error;
/* not exactly what the user sent in, but should be close :) */
- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
ssf->ssf_info.sinfo_stream = sp->stream;
ssf->ssf_info.sinfo_ssn = 0;
if (sp->some_taken) {
@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
return;
SCTP_BUF_LEN(m_notify) = 0;
sai = mtod(m_notify, struct sctp_adaptation_event *);
+ memset(sai, 0, sizeof(struct sctp_adaptation_event));
sai->sai_type = SCTP_ADAPTATION_INDICATION;
sai->sai_flags = 0;
sai->sai_length = sizeof(struct sctp_adaptation_event);
@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
return;
SCTP_BUF_LEN(m_notify) = 0;
pdapi = mtod(m_notify, struct sctp_pdapi_event *);
+ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
pdapi->pdapi_flags = 0;
pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
/* no space left */
return;
sse = mtod(m_notify, struct sctp_shutdown_event *);
+ memset(sse, 0, sizeof(struct sctp_shutdown_event));
sse->sse_type = SCTP_SHUTDOWN_EVENT;
sse->sse_flags = 0;
sse->sse_length = sizeof(struct sctp_shutdown_event);
@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
}
SCTP_BUF_LEN(m_notify) = 0;
event = mtod(m_notify, struct sctp_sender_dry_event *);
+ memset(event, 0, sizeof(struct sctp_sender_dry_event));
event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
event->sender_dry_flags = 0;
event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
struct mbuf *m_notify;
struct sctp_queued_to_read *control;
struct sctp_stream_change_event *stradd;
- int len;
if ((stcb == NULL) ||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
return;
}
stcb->asoc.peer_req_out = 0;
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_NOWAIT, 1, MT_DATA);
if (m_notify == NULL)
/* no space left */
return;
SCTP_BUF_LEN(m_notify) = 0;
- len = sizeof(struct sctp_stream_change_event);
- if (len > M_TRAILINGSPACE(m_notify)) {
- /* never enough room */
- sctp_m_freem(m_notify);
- return;
- }
stradd = mtod(m_notify, struct sctp_stream_change_event *);
+ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
stradd->strchange_flags = flag;
- stradd->strchange_length = len;
+ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
stradd->strchange_assoc_id = sctp_get_associd(stcb);
stradd->strchange_instrms = numberin;
stradd->strchange_outstrms = numberout;
- SCTP_BUF_LEN(m_notify) = len;
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
SCTP_BUF_NEXT(m_notify) = NULL;
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
/* no space */
@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
struct mbuf *m_notify;
struct sctp_queued_to_read *control;
struct sctp_assoc_reset_event *strasoc;
- int len;
if ((stcb == NULL) ||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
/* event not enabled */
return;
}
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA);
if (m_notify == NULL)
/* no space left */
return;
SCTP_BUF_LEN(m_notify) = 0;
- len = sizeof(struct sctp_assoc_reset_event);
- if (len > M_TRAILINGSPACE(m_notify)) {
- /* never enough room */
- sctp_m_freem(m_notify);
- return;
- }
strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
+ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
strasoc->assocreset_flags = flag;
- strasoc->assocreset_length = len;
+ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
strasoc->assocreset_local_tsn = sending_tsn;
strasoc->assocreset_remote_tsn = recv_tsn;
- SCTP_BUF_LEN(m_notify) = len;
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
SCTP_BUF_NEXT(m_notify) = NULL;
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
/* no space */
@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
return;
}
strreset = mtod(m_notify, struct sctp_stream_reset_event *);
+ memset(strreset, 0, len);
strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
strreset->strreset_flags = flag;
strreset->strreset_length = len;
@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so,
fromlen = 0;
}
+ if (filling_sinfo) {
+ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
+ }
error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
(struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
- if ((controlp) && (filling_sinfo)) {
+ if (controlp != NULL) {
/* copy back the sinfo in a CMSG format */
if (filling_sinfo)
*controlp = sctp_build_ctl_nchunk(inp,

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnm6AP/joogW8tONA14xFRCOv2dT9g
iJUIfrSukkdUZLEpH/HL7Wy9nuyd1DXX0Y+pO2EMtavMqAAsm9EcjWr0FmBwVc7l
psB9HvSecCNXcl0ezUG19iW+2eadlpU0+4Uoo3Mg2vv+SYVlywNVFSkra4Qey0DM
+PgrkaBotDUl04lBD5rewD8JYuDirhMhI1H6x/elyqi+t0yp4g/6AdC8p2N6uAB+
5+ZR9Ucj8h75/zzqBBTN8+Tu6I/0VTfs296egxUApPFrKilIYEwVUKFP6tQhbCSJ
r2s+CmkqHWbtwgWWQRZGgbKbbjQYz6rumvag6zU7+bwZJpkIyxBan5DLXRpOVTIs
vy0MrbP2syh8PVhdlzOHVkif8fRQl6lRufWqYQmSv6r+JtPzVuG+drewG56qxrOq
hbDqAdeIQoHhMUHrH+IXTpdMFYywiYhXm0nt0w2bB9gcwbJd/mg/aQZUc3Vpp20k
exysXZdC32Hp4gzYMStV7Ddv6HyOhI3RkFAcGE5BKgOIsjT+aMiLJnUxzTUGor/0
ppge7FDEoEvgyCJbxyMDt3jN5DvA7bjDOmjATLex/Oo2Ah/BHlcAwDXp4rqsnoKy
F9rsPJkEjRwh4jZo47+HQCtJ5DEqUnhdZz3Ps7Az0AN/T7wORP5/tYkrb9IFNNGh
Rzz+HVMAuFutlwhFPJKf
=Oql4
-----END PGP SIGNATURE-----

View file

@ -7,6 +7,18 @@
<year>
<name>2014</name>
<month>
<name>7</name>
<day>
<name>8</name>
<advisory>
<name>FreeBSD-SA-14:17.kmem</name>
</advisory>
</day>
</month>
<month>
<name>6</name>

View file

@ -7,6 +7,18 @@
<year>
<name>2014</name>
<month>
<name>7</name>
<day>
<name>8</name>
<notice>
<name>FreeBSD-EN-14:09.jail</name>
</notice>
</day>
</month>
<month>
<name>6</name>