Add SA-14:17.kmem and EN-14:09.jail.
This commit is contained in:
parent
85345b9d9e
commit
d126e9c52b
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=45230
12 changed files with 1187 additions and 0 deletions
share
121
share/security/advisories/FreeBSD-EN-14:09.jail.asc
Normal file
121
share/security/advisories/FreeBSD-EN-14:09.jail.asc
Normal file
|
@ -0,0 +1,121 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-EN-14:09.jail Errata Notice
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Jail fails to start if WITHOUT_INET/WITHOUT_INET6 is used
|
||||
|
||||
Category: core
|
||||
Module: jail
|
||||
Announced: 2014-07-08
|
||||
Credits: Eugene Grosbein, Chris Rees
|
||||
Affects: FreeBSD 8.4
|
||||
Corrected: 2014-07-02 19:18:59 UTC (stable/8, 8.4-STABLE)
|
||||
2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14)
|
||||
|
||||
For general information regarding FreeBSD Errata Notices and Security
|
||||
Advisories, including descriptions of the fields above, security
|
||||
branches, and the following sections, please visit
|
||||
<URL:http://security.freebsd.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The jail(8) utility creates new jails, or modifies or removes existing
|
||||
jails.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
The jail(8) rc(8) script used to start jails on the system does not
|
||||
properly detect if an address protocol is in use on the system.
|
||||
|
||||
III. Impact
|
||||
|
||||
When the FreeBSD kernel and userland are built either without IPv4 or IPv6
|
||||
support by defining WITHOUT_INET or WITHOUT_INET6 in src.conf(5), the jail(8)
|
||||
will fail to start with an non-descriptive error.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available, however systems that do not define WITHOUT_INET
|
||||
or WITHOUT_INET6 are not affected.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your system to a supported FreeBSD stable or release / security
|
||||
branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your present system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch http://security.FreeBSD.org/patches/EN-14:09/jail.patch
|
||||
# fetch http://security.FreeBSD.org/patches/EN-14:09/jail.patch.asc
|
||||
# gpg --verify jail.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
3) To update your system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the revision numbers of each file that was
|
||||
corrected in FreeBSD.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r268168
|
||||
releng/8.4/ r268435
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
The latest revision of this Errata Notice is available at
|
||||
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:09.jail.asc
|
||||
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAEBCgAGBQJTvG0oAAoJEO1n7NZdz2rnEeUP+gJuYN0VoSbT+0zPJH9u61/K
|
||||
gJma3dUY4zuKDRyLhYNTCM+fKIwCZ07+9lesAeDm8mXts0UGGvjSHVqxXlG1hiGi
|
||||
2W8AxNzvV0FQuE6awlz8dDE2ikATkae7VPBoLraq0a7CEH4kW/mnl4+xQ3I2Hgc+
|
||||
wTmF+R13mb905xbF+52aj1jDUus8+ZFuDY0VRV3IY34i9OxcnoQO+T8v1w6d9ly3
|
||||
KbHmZXd2LPS0yeITAWuk4p1gwl8vi7uz7IiJcxrw/YEOUC6LkHO5/JUPRDz1O5Dd
|
||||
snRmFFF5w77u5bYWpHHU6kw4/k0GwuS1jfQnQm1ag/Gl8A1O4BA4ixvItOrU/FiT
|
||||
KxoOsdrMgD9jvIyHKOGPyio+FQuRdn+TsyE7WDw/MO2sZ3Et8nG49PccSbFQxuWu
|
||||
IFXoK+1gI1Vst5YlMUwbCwQRCuBawaUVhfWqF5jIeVvW2uPRr6S1rIJOyGy/HlKO
|
||||
HwdEtBbDcukWYojjG3pcORdv/HaQkN47NrJrJ6bWldJCshhSwPJ1ivyKLL16hjf2
|
||||
H/Tk+IHfVULjxgMEY7wQ3fL6kkgMHbrfxhBSy6LVYJggzvV+hgJXNY0116gUuAhA
|
||||
5UTKFfEHyXDtlgsTHSyETiHw3qXQ6JmyNUPepuAcf1Ly/yTvlFPhM56R52ZjBLRs
|
||||
rQOf3Vdelgpnpo4olu7L
|
||||
=4r/Q
|
||||
-----END PGP SIGNATURE-----
|
170
share/security/advisories/FreeBSD-SA-14:17.kmem.asc
Normal file
170
share/security/advisories/FreeBSD-SA-14:17.kmem.asc
Normal file
|
@ -0,0 +1,170 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-14:17.kmem Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Kernel memory disclosure in control messages and SCTP
|
||||
notifications
|
||||
|
||||
Category: core
|
||||
Module: kern, sctp
|
||||
Announced: 2014-07-08
|
||||
Credits: Michael Tuexen
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2014-07-08 21:54:50 UTC (stable/10, 10.0-STABLE)
|
||||
2014-07-08 21:55:27 UTC (releng/10.0, 10.0-RELEASE-p7)
|
||||
2014-07-08 21:54:50 UTC (stable/9, 9.3-PRERELEASE)
|
||||
2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC3-p1)
|
||||
2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC2-p1)
|
||||
2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC1-p2)
|
||||
2014-07-08 21:55:27 UTC (releng/9.3, 9.3-BETA3-p2)
|
||||
2014-07-08 21:55:27 UTC (releng/9.2, 9.2-RELEASE-p10)
|
||||
2014-07-08 21:55:27 UTC (releng/9.1, 9.1-RELEASE-p17)
|
||||
2014-07-08 21:54:50 UTC (stable/8, 8.4-STABLE)
|
||||
2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14)
|
||||
CVE Name: CVE-2014-3952, CVE-2014-3953
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:http://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The control message API is used to construct ancillary data objects for
|
||||
use in control messages sent and received across sockets and passed via
|
||||
the recvmsg(2) and sendmsg(2) system calls.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Buffer between control message header and data may not be completely
|
||||
initialized before being copied to userland. [CVE-2014-3952]
|
||||
|
||||
Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit
|
||||
padding that may not be completely initialized before being copied to
|
||||
userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE,
|
||||
SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the
|
||||
returning data structure that may not be completely initialized before
|
||||
being copied to userland. [CVE-2014-3953]
|
||||
|
||||
III. Impact
|
||||
|
||||
An unprivileged local process may be able to retrieve portion of kernel
|
||||
memory.
|
||||
|
||||
For the generic control message, the process may be able to retrieve a
|
||||
maximum of 4 bytes of kernel memory.
|
||||
|
||||
For SCTP, the process may be able to retrieve 2 bytes of kernel memory
|
||||
for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76
|
||||
bytes for SCTP_EXTRCV. If the local process is permitted to receive
|
||||
SCTP notification, a maximum of 112 bytes of kernel memory may be
|
||||
returned to userland.
|
||||
|
||||
This information might be directly useful, or it might be leveraged to
|
||||
obtain elevated privileges in some way. For example, a terminal buffer
|
||||
might include a user-entered password.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 10.0]
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch.asc
|
||||
# gpg --verify kmem.patch.asc
|
||||
|
||||
[FreeBSD 8.4, 9.2 and 9.3-RC]
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch.asc
|
||||
# gpg --verify kmem.patch.asc
|
||||
|
||||
[FreeBSD 9.2]
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch.asc
|
||||
# gpg --verify kmem.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile your kernel as described in
|
||||
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
||||
system.
|
||||
|
||||
3) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r268432
|
||||
releng/8.4/ r268435
|
||||
stable/9/ r268432
|
||||
releng/9.1/ r268434
|
||||
releng/9.2/ r268434
|
||||
releng/9.3/ r268433
|
||||
stable/10/ r268432
|
||||
releng/10.0/ r268434
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3952>
|
||||
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3953>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:17.kmem.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAEBCgAGBQJTvG0nAAoJEO1n7NZdz2rn9w0QANVDZ/92sbXjrREbn/qDto75
|
||||
opjg7cJUne0tAkeqoCxYNiCT0yxI4M37N41Hvq1ZbA0HFgodjb5s6pXTZ4baB4PH
|
||||
CKxMvk8NB8PAw3+JfG9Ec8e4MaUd0Md04yNx/Ej1zdDz75rhHcqGiK2Agm086RSV
|
||||
K7TyzZXr1QrjJCSltM5dcXHacMgIZ7OxxY/e4DrI7tsEQk50wmlSKcZZI0GC8o+p
|
||||
DzhcMP+7qN9wNcZaXNNlLxLlthjlwudnGuFwg4DzkUCjCu2ooyerOref4UDWXmN8
|
||||
bky3U9wx5PnM/LmocWAPYCgA58WckbPooiWEWGWJJeogbVi6+vVNOe1516vAeTep
|
||||
MyGLpdP6v2tSo6XI33yd2YrxDMGOdFN1+ZfeDvFyBk9JFEfMhKHio84967hQRQN6
|
||||
pz1+0Ga119akQZKnBs3z9YhPze26sJB+tgTdIUJnunVysdslKI2EYcJ1R+UNIoDB
|
||||
h5XClPqAWyupfohp2TD8vM5RT+x6CaeW4P08KRpg8PTmqHi7CNB5wgFASG2uC/BT
|
||||
3qZDebjE7CMCQ35wEWBwVHt8SK0MwaIb9u4A+Fxf/plNDwqKqtQ7LdhI/fabJl5T
|
||||
IP3RbQLdiGyRAtOwcgXbmIGd2k3E9TNCQa5AdiUjiE5zGcRUs3iywVtyvellnVpI
|
||||
yAc2ussNLU5vJef4t30X
|
||||
=u6Xe
|
||||
-----END PGP SIGNATURE-----
|
15
share/security/patches/EN-14:09/jail.patch
Normal file
15
share/security/patches/EN-14:09/jail.patch
Normal file
|
@ -0,0 +1,15 @@
|
|||
Index: etc/rc.d/jail
|
||||
===================================================================
|
||||
--- etc/rc.d/jail (revision 268273)
|
||||
+++ etc/rc.d/jail (working copy)
|
||||
@@ -647,7 +647,9 @@ jail_start()
|
||||
done
|
||||
|
||||
eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \
|
||||
- ip4.addr=\"${_addrl}\" ip6.addr=\"${_addr6l}\" ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1
|
||||
+ ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \
|
||||
+ ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \
|
||||
+ </dev/null
|
||||
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
_jail_id=$(head -1 ${_tmp_jail})
|
17
share/security/patches/EN-14:09/jail.patch.asc
Normal file
17
share/security/patches/EN-14:09/jail.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTvG16AAoJEO1n7NZdz2rnZnQP/iLTnaxVHY4lxecPfSJZnMiD
|
||||
l5X1mtnnpleRFOCztOQBM5qLRXxp14V3tE62vBUx5e4go3qYqVC/u+sWgvcC7sBG
|
||||
aBT3cRVyTnygoXK6B7Av6hEhG9A+RBy1PmKEW/0iIKxD2oixNPtDv6u0AEEv+ipb
|
||||
WAtjzngeTtrMYskWZNxC8FT+NTTUQTkeU9Rqjh+JKsS8sqpzm1gHWtbp5wKJPeLt
|
||||
Rt4IULzqNoBmB9BRGYA7scFkXCUC+B1MQLUxN0p9KjNrp1REObOGfb8aTHoAuA0O
|
||||
Wk6kQeF+heqxt+TRTZp3obOYHINbVfBnPGMWty4hD8JHHFDytdA6LLalILTml3Ia
|
||||
iBaxWP/sk+4ziWkKtdlyc4VYSGzQNR+9/TIaBz0SuuMOdd21DWjaGtqIY/jfzUpA
|
||||
CnAAwJJj2ejIqOtR20aSOlCn/DVx7qyXr+R6YyUWjqlhzIsdrxBFsajIuT8DB+U5
|
||||
BSDIAxPa5esaMQhbrtoZyb8Fto0P50vMwrfjv9wuoo2Nvz+vU3ABhaPIHzTBomxl
|
||||
hepAZIGSI4UzZwk0Kj1z9I+e5EDOlFVvxhO6KYpJeulBRM+bMSILXzWH08PMoctz
|
||||
MhGkkyc8svpTZB9jYxzmcWikdbRknTo3k/I2hVF8pa/sOSbXBL3/HebVuycmvL5y
|
||||
2d+RwPgvW/C73wgUiFe7
|
||||
=rl/o
|
||||
-----END PGP SIGNATURE-----
|
263
share/security/patches/SA-14:17/kmem-89.patch
Normal file
263
share/security/patches/SA-14:17/kmem-89.patch
Normal file
|
@ -0,0 +1,263 @@
|
|||
Index: sys/kern/uipc_sockbuf.c
|
||||
===================================================================
|
||||
--- sys/kern/uipc_sockbuf.c (revision 268273)
|
||||
+++ sys/kern/uipc_sockbuf.c (working copy)
|
||||
@@ -1045,6 +1045,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
|
||||
m->m_len = 0;
|
||||
KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
|
||||
("sbcreatecontrol: short mbuf"));
|
||||
+ /*
|
||||
+ * Don't leave the padding between the msg header and the
|
||||
+ * cmsg data and the padding after the cmsg data un-initialized.
|
||||
+ */
|
||||
+ bzero(cp, CMSG_SPACE((u_int)size));
|
||||
if (p != NULL)
|
||||
(void)memcpy(CMSG_DATA(cp), p, size);
|
||||
m->m_len = CMSG_SPACE(size);
|
||||
Index: sys/netinet/sctp_auth.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctp_auth.c (revision 268273)
|
||||
+++ sys/netinet/sctp_auth.c (working copy)
|
||||
@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
|
||||
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
auth = mtod(m_notify, struct sctp_authkey_event *);
|
||||
+ memset(auth, 0, sizeof(struct sctp_authkey_event));
|
||||
auth->auth_type = SCTP_AUTHENTICATION_EVENT;
|
||||
auth->auth_flags = 0;
|
||||
auth->auth_length = sizeof(*auth);
|
||||
Index: sys/netinet/sctp_indata.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctp_indata.c (revision 268273)
|
||||
+++ sys/netinet/sctp_indata.c (working copy)
|
||||
@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
|
||||
|
||||
/* We need a CMSG header followed by the struct */
|
||||
cmh = mtod(ret, struct cmsghdr *);
|
||||
+ /*
|
||||
+ * Make sure that there is no un-initialized padding between the
|
||||
+ * cmsg header and cmsg data and after the cmsg data.
|
||||
+ */
|
||||
+ memset(cmh, 0, len);
|
||||
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
|
||||
cmh->cmsg_level = IPPROTO_SCTP;
|
||||
cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
|
||||
Index: sys/netinet/sctputil.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctputil.c (revision 268273)
|
||||
+++ sys/netinet/sctputil.c (working copy)
|
||||
@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
|
||||
}
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
sac = mtod(m_notify, struct sctp_assoc_change *);
|
||||
+ memset(sac, 0, notif_len);
|
||||
sac->sac_type = SCTP_ASSOC_CHANGE;
|
||||
sac->sac_flags = 0;
|
||||
sac->sac_length = sizeof(struct sctp_assoc_change);
|
||||
@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
- length += chk->send_size;
|
||||
- length -= sizeof(struct sctp_data_chunk);
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
|
||||
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
|
||||
+ memset(ssfe, 0, length);
|
||||
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
|
||||
if (sent) {
|
||||
ssfe->ssfe_flags = SCTP_DATA_SENT;
|
||||
@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
} else {
|
||||
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
|
||||
}
|
||||
+ length += chk->send_size;
|
||||
+ length -= sizeof(struct sctp_data_chunk);
|
||||
ssfe->ssfe_length = length;
|
||||
ssfe->ssfe_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
|
||||
ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
|
||||
ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
|
||||
ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
|
||||
@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
|
||||
} else {
|
||||
ssf = mtod(m_notify, struct sctp_send_failed *);
|
||||
+ memset(ssf, 0, length);
|
||||
ssf->ssf_type = SCTP_SEND_FAILED;
|
||||
if (sent) {
|
||||
ssf->ssf_flags = SCTP_DATA_SENT;
|
||||
@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
} else {
|
||||
ssf->ssf_flags = SCTP_DATA_UNSENT;
|
||||
}
|
||||
+ length += chk->send_size;
|
||||
+ length -= sizeof(struct sctp_data_chunk);
|
||||
ssf->ssf_length = length;
|
||||
ssf->ssf_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
|
||||
/* no space left */
|
||||
return;
|
||||
}
|
||||
- length += sp->length;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
|
||||
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
|
||||
+ memset(ssfe, 0, length);
|
||||
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
|
||||
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
|
||||
+ length += sp->length;
|
||||
ssfe->ssfe_length = length;
|
||||
ssfe->ssfe_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
|
||||
ssfe->ssfe_info.snd_sid = sp->stream;
|
||||
if (sp->some_taken) {
|
||||
ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
|
||||
@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
|
||||
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
|
||||
} else {
|
||||
ssf = mtod(m_notify, struct sctp_send_failed *);
|
||||
+ memset(ssf, 0, length);
|
||||
ssf->ssf_type = SCTP_SEND_FAILED;
|
||||
ssf->ssf_flags = SCTP_DATA_UNSENT;
|
||||
+ length += sp->length;
|
||||
ssf->ssf_length = length;
|
||||
ssf->ssf_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
|
||||
ssf->ssf_info.sinfo_stream = sp->stream;
|
||||
ssf->ssf_info.sinfo_ssn = 0;
|
||||
if (sp->some_taken) {
|
||||
@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
sai = mtod(m_notify, struct sctp_adaptation_event *);
|
||||
+ memset(sai, 0, sizeof(struct sctp_adaptation_event));
|
||||
sai->sai_type = SCTP_ADAPTATION_INDICATION;
|
||||
sai->sai_flags = 0;
|
||||
sai->sai_length = sizeof(struct sctp_adaptation_event);
|
||||
@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
pdapi = mtod(m_notify, struct sctp_pdapi_event *);
|
||||
+ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
|
||||
pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
|
||||
pdapi->pdapi_flags = 0;
|
||||
pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
|
||||
@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
|
||||
/* no space left */
|
||||
return;
|
||||
sse = mtod(m_notify, struct sctp_shutdown_event *);
|
||||
+ memset(sse, 0, sizeof(struct sctp_shutdown_event));
|
||||
sse->sse_type = SCTP_SHUTDOWN_EVENT;
|
||||
sse->sse_flags = 0;
|
||||
sse->sse_length = sizeof(struct sctp_shutdown_event);
|
||||
@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
|
||||
}
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
event = mtod(m_notify, struct sctp_sender_dry_event *);
|
||||
+ memset(event, 0, sizeof(struct sctp_sender_dry_event));
|
||||
event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
|
||||
event->sender_dry_flags = 0;
|
||||
event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
|
||||
@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
|
||||
struct mbuf *m_notify;
|
||||
struct sctp_queued_to_read *control;
|
||||
struct sctp_stream_change_event *stradd;
|
||||
- int len;
|
||||
|
||||
if ((stcb == NULL) ||
|
||||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
|
||||
@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
|
||||
return;
|
||||
}
|
||||
stcb->asoc.peer_req_out = 0;
|
||||
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
|
||||
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
- len = sizeof(struct sctp_stream_change_event);
|
||||
- if (len > M_TRAILINGSPACE(m_notify)) {
|
||||
- /* never enough room */
|
||||
- sctp_m_freem(m_notify);
|
||||
- return;
|
||||
- }
|
||||
stradd = mtod(m_notify, struct sctp_stream_change_event *);
|
||||
+ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
|
||||
stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
|
||||
stradd->strchange_flags = flag;
|
||||
- stradd->strchange_length = len;
|
||||
+ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
|
||||
stradd->strchange_assoc_id = sctp_get_associd(stcb);
|
||||
stradd->strchange_instrms = numberin;
|
||||
stradd->strchange_outstrms = numberout;
|
||||
- SCTP_BUF_LEN(m_notify) = len;
|
||||
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
|
||||
/* no space */
|
||||
@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
|
||||
struct mbuf *m_notify;
|
||||
struct sctp_queued_to_read *control;
|
||||
struct sctp_assoc_reset_event *strasoc;
|
||||
- int len;
|
||||
|
||||
if ((stcb == NULL) ||
|
||||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
|
||||
@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
|
||||
/* event not enabled */
|
||||
return;
|
||||
}
|
||||
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
|
||||
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA);
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
- len = sizeof(struct sctp_assoc_reset_event);
|
||||
- if (len > M_TRAILINGSPACE(m_notify)) {
|
||||
- /* never enough room */
|
||||
- sctp_m_freem(m_notify);
|
||||
- return;
|
||||
- }
|
||||
strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
|
||||
+ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
|
||||
strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
|
||||
strasoc->assocreset_flags = flag;
|
||||
- strasoc->assocreset_length = len;
|
||||
+ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
|
||||
strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
|
||||
strasoc->assocreset_local_tsn = sending_tsn;
|
||||
strasoc->assocreset_remote_tsn = recv_tsn;
|
||||
- SCTP_BUF_LEN(m_notify) = len;
|
||||
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
|
||||
/* no space */
|
||||
@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
|
||||
return;
|
||||
}
|
||||
strreset = mtod(m_notify, struct sctp_stream_reset_event *);
|
||||
+ memset(strreset, 0, len);
|
||||
strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
|
||||
strreset->strreset_flags = flag;
|
||||
strreset->strreset_length = len;
|
||||
@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so,
|
||||
fromlen = 0;
|
||||
}
|
||||
|
||||
+ if (filling_sinfo) {
|
||||
+ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
|
||||
+ }
|
||||
error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
|
||||
(struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
|
||||
- if ((controlp) && (filling_sinfo)) {
|
||||
+ if (controlp != NULL) {
|
||||
/* copy back the sinfo in a CMSG format */
|
||||
if (filling_sinfo)
|
||||
*controlp = sctp_build_ctl_nchunk(inp,
|
17
share/security/patches/SA-14:17/kmem-89.patch.asc
Normal file
17
share/security/patches/SA-14:17/kmem-89.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnxSAQAMOj+4y12nfK7TJZZV6Knr2O
|
||||
Cxgee7T0CV6j7+pdSoN0KNsat6Yl9+s5tM3Akr2kkvSoviZQcXlQopJmZhjyiT3u
|
||||
/RHankNfsRdZDoXzgHMkD2922eQbwz0O5MOeV+dysQCfYNW31890nCviVTr5a5SH
|
||||
0C20+ka1nelBPaea4RNgyKBUEs3PAzfTz5yDRzRLFhl/8EqV/Pcom62IyEFe9TB9
|
||||
IxPk+DT3tpynWA2XioQFc3vLYz0NxBSCdsWnk9klWvmkLwJUkGGcUztWokU675ez
|
||||
4bvb018YPOaqikePymMzUluLpZZH8P0Om2hnKnZP2aqOjj9IaOlNzSkY9OPqoaSN
|
||||
7t29mWZ+x3e8D56c3TMfviFjTVwJjE9OH9aomoZGrxIt1W5cCKwgAJJfpXtin+bR
|
||||
/nzYtomRDWxKLjfSDV2nC8N4dqh4qz7HRFSmLgXhL7LYpNtMZURZnrNke92OCZMe
|
||||
hjeGFk3V9tATYeCxAZaDEe/xgW5Ir/cCWaxQUabEldc8AdHT7vumaQ9UvND8SSBp
|
||||
52BPWMRFPdDtDbL61ESjrBwjFgWIeiNDbSW3VW5qTPqIxF66GcWcZf8PJE8kdYTX
|
||||
0vrMsjsusu6LFc8FTwzE1O8sbPGkSdqe2GPXU2PZu8+FGkHKgz4qR/bLewG/nqwQ
|
||||
3zOlJ1MrVW2nyKQK+Bik
|
||||
=VGnU
|
||||
-----END PGP SIGNATURE-----
|
263
share/security/patches/SA-14:17/kmem-9.1.patch
Normal file
263
share/security/patches/SA-14:17/kmem-9.1.patch
Normal file
|
@ -0,0 +1,263 @@
|
|||
Index: sys/kern/uipc_sockbuf.c
|
||||
===================================================================
|
||||
--- sys/kern/uipc_sockbuf.c (revision 268273)
|
||||
+++ sys/kern/uipc_sockbuf.c (working copy)
|
||||
@@ -1011,6 +1011,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
|
||||
m->m_len = 0;
|
||||
KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
|
||||
("sbcreatecontrol: short mbuf"));
|
||||
+ /*
|
||||
+ * Don't leave the padding between the msg header and the
|
||||
+ * cmsg data and the padding after the cmsg data un-initialized.
|
||||
+ */
|
||||
+ bzero(cp, CMSG_SPACE((u_int)size));
|
||||
if (p != NULL)
|
||||
(void)memcpy(CMSG_DATA(cp), p, size);
|
||||
m->m_len = CMSG_SPACE(size);
|
||||
Index: sys/netinet/sctp_auth.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctp_auth.c (revision 268273)
|
||||
+++ sys/netinet/sctp_auth.c (working copy)
|
||||
@@ -1876,6 +1876,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
|
||||
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
auth = mtod(m_notify, struct sctp_authkey_event *);
|
||||
+ memset(auth, 0, sizeof(struct sctp_authkey_event));
|
||||
auth->auth_type = SCTP_AUTHENTICATION_EVENT;
|
||||
auth->auth_flags = 0;
|
||||
auth->auth_length = sizeof(*auth);
|
||||
Index: sys/netinet/sctp_indata.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctp_indata.c (revision 268273)
|
||||
+++ sys/netinet/sctp_indata.c (working copy)
|
||||
@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
|
||||
|
||||
/* We need a CMSG header followed by the struct */
|
||||
cmh = mtod(ret, struct cmsghdr *);
|
||||
+ /*
|
||||
+ * Make sure that there is no un-initialized padding between the
|
||||
+ * cmsg header and cmsg data and after the cmsg data.
|
||||
+ */
|
||||
+ memset(cmh, 0, len);
|
||||
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
|
||||
cmh->cmsg_level = IPPROTO_SCTP;
|
||||
cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
|
||||
Index: sys/netinet/sctputil.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctputil.c (revision 268273)
|
||||
+++ sys/netinet/sctputil.c (working copy)
|
||||
@@ -2628,6 +2628,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
|
||||
}
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
sac = mtod(m_notify, struct sctp_assoc_change *);
|
||||
+ memset(sac, 0, notif_len);
|
||||
sac->sac_type = SCTP_ASSOC_CHANGE;
|
||||
sac->sac_flags = 0;
|
||||
sac->sac_length = sizeof(struct sctp_assoc_change);
|
||||
@@ -2834,11 +2835,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
- length += chk->send_size;
|
||||
- length -= sizeof(struct sctp_data_chunk);
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
|
||||
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
|
||||
+ memset(ssfe, 0, length);
|
||||
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
|
||||
if (sent) {
|
||||
ssfe->ssfe_flags = SCTP_DATA_SENT;
|
||||
@@ -2845,10 +2845,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
} else {
|
||||
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
|
||||
}
|
||||
+ length += chk->send_size;
|
||||
+ length -= sizeof(struct sctp_data_chunk);
|
||||
ssfe->ssfe_length = length;
|
||||
ssfe->ssfe_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
|
||||
ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
|
||||
ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
|
||||
ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
|
||||
@@ -2858,6 +2859,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
|
||||
} else {
|
||||
ssf = mtod(m_notify, struct sctp_send_failed *);
|
||||
+ memset(ssf, 0, length);
|
||||
ssf->ssf_type = SCTP_SEND_FAILED;
|
||||
if (sent) {
|
||||
ssf->ssf_flags = SCTP_DATA_SENT;
|
||||
@@ -2864,6 +2866,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
} else {
|
||||
ssf->ssf_flags = SCTP_DATA_UNSENT;
|
||||
}
|
||||
+ length += chk->send_size;
|
||||
+ length -= sizeof(struct sctp_data_chunk);
|
||||
ssf->ssf_length = length;
|
||||
ssf->ssf_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
@@ -2947,16 +2951,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
|
||||
/* no space left */
|
||||
return;
|
||||
}
|
||||
- length += sp->length;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
|
||||
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
|
||||
+ memset(ssfe, 0, length);
|
||||
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
|
||||
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
|
||||
+ length += sp->length;
|
||||
ssfe->ssfe_length = length;
|
||||
ssfe->ssfe_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
|
||||
ssfe->ssfe_info.snd_sid = sp->stream;
|
||||
if (sp->some_taken) {
|
||||
ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
|
||||
@@ -2970,12 +2974,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
|
||||
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
|
||||
} else {
|
||||
ssf = mtod(m_notify, struct sctp_send_failed *);
|
||||
+ memset(ssf, 0, length);
|
||||
ssf->ssf_type = SCTP_SEND_FAILED;
|
||||
ssf->ssf_flags = SCTP_DATA_UNSENT;
|
||||
+ length += sp->length;
|
||||
ssf->ssf_length = length;
|
||||
ssf->ssf_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
|
||||
ssf->ssf_info.sinfo_stream = sp->stream;
|
||||
ssf->ssf_info.sinfo_ssn = sp->strseq;
|
||||
if (sp->some_taken) {
|
||||
@@ -3037,6 +3042,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
sai = mtod(m_notify, struct sctp_adaptation_event *);
|
||||
+ memset(sai, 0, sizeof(struct sctp_adaptation_event));
|
||||
sai->sai_type = SCTP_ADAPTATION_INDICATION;
|
||||
sai->sai_flags = 0;
|
||||
sai->sai_length = sizeof(struct sctp_adaptation_event);
|
||||
@@ -3092,6 +3098,7 @@ sctp_notify_partial_delivery_indication(struct sct
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
pdapi = mtod(m_notify, struct sctp_pdapi_event *);
|
||||
+ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
|
||||
pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
|
||||
pdapi->pdapi_flags = 0;
|
||||
pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
|
||||
@@ -3201,6 +3208,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
|
||||
/* no space left */
|
||||
return;
|
||||
sse = mtod(m_notify, struct sctp_shutdown_event *);
|
||||
+ memset(sse, 0, sizeof(struct sctp_shutdown_event));
|
||||
sse->sse_type = SCTP_SHUTDOWN_EVENT;
|
||||
sse->sse_flags = 0;
|
||||
sse->sse_length = sizeof(struct sctp_shutdown_event);
|
||||
@@ -3251,6 +3259,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
|
||||
}
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
event = mtod(m_notify, struct sctp_sender_dry_event *);
|
||||
+ memset(event, 0, sizeof(struct sctp_sender_dry_event));
|
||||
event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
|
||||
event->sender_dry_flags = 0;
|
||||
event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
|
||||
@@ -3283,7 +3292,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
|
||||
struct mbuf *m_notify;
|
||||
struct sctp_queued_to_read *control;
|
||||
struct sctp_stream_change_event *stradd;
|
||||
- int len;
|
||||
|
||||
if ((stcb == NULL) ||
|
||||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
|
||||
@@ -3296,25 +3304,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
|
||||
return;
|
||||
}
|
||||
stcb->asoc.peer_req_out = 0;
|
||||
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
|
||||
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
- len = sizeof(struct sctp_stream_change_event);
|
||||
- if (len > M_TRAILINGSPACE(m_notify)) {
|
||||
- /* never enough room */
|
||||
- sctp_m_freem(m_notify);
|
||||
- return;
|
||||
- }
|
||||
stradd = mtod(m_notify, struct sctp_stream_change_event *);
|
||||
+ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
|
||||
stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
|
||||
stradd->strchange_flags = flag;
|
||||
- stradd->strchange_length = len;
|
||||
+ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
|
||||
stradd->strchange_assoc_id = sctp_get_associd(stcb);
|
||||
stradd->strchange_instrms = numberin;
|
||||
stradd->strchange_outstrms = numberout;
|
||||
- SCTP_BUF_LEN(m_notify) = len;
|
||||
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
|
||||
/* no space */
|
||||
@@ -3345,7 +3348,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
|
||||
struct mbuf *m_notify;
|
||||
struct sctp_queued_to_read *control;
|
||||
struct sctp_assoc_reset_event *strasoc;
|
||||
- int len;
|
||||
|
||||
if ((stcb == NULL) ||
|
||||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
|
||||
@@ -3352,25 +3354,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
|
||||
/* event not enabled */
|
||||
return;
|
||||
}
|
||||
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
|
||||
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA);
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
- len = sizeof(struct sctp_assoc_reset_event);
|
||||
- if (len > M_TRAILINGSPACE(m_notify)) {
|
||||
- /* never enough room */
|
||||
- sctp_m_freem(m_notify);
|
||||
- return;
|
||||
- }
|
||||
strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
|
||||
+ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
|
||||
strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
|
||||
strasoc->assocreset_flags = flag;
|
||||
- strasoc->assocreset_length = len;
|
||||
+ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
|
||||
strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
|
||||
strasoc->assocreset_local_tsn = sending_tsn;
|
||||
strasoc->assocreset_remote_tsn = recv_tsn;
|
||||
- SCTP_BUF_LEN(m_notify) = len;
|
||||
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
|
||||
/* no space */
|
||||
@@ -3423,6 +3420,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
|
||||
return;
|
||||
}
|
||||
strreset = mtod(m_notify, struct sctp_stream_reset_event *);
|
||||
+ memset(strreset, 0, len);
|
||||
strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
|
||||
strreset->strreset_flags = flag;
|
||||
strreset->strreset_length = len;
|
||||
@@ -6261,9 +6259,12 @@ sctp_soreceive(struct socket *so,
|
||||
fromlen = 0;
|
||||
}
|
||||
|
||||
+ if (filling_sinfo) {
|
||||
+ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
|
||||
+ }
|
||||
error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
|
||||
(struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
|
||||
- if ((controlp) && (filling_sinfo)) {
|
||||
+ if (controlp != NULL) {
|
||||
/* copy back the sinfo in a CMSG format */
|
||||
if (filling_sinfo)
|
||||
*controlp = sctp_build_ctl_nchunk(inp,
|
17
share/security/patches/SA-14:17/kmem-9.1.patch.asc
Normal file
17
share/security/patches/SA-14:17/kmem-9.1.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnfuYQAMucmTFZ6DMXAfniAzJK7YBj
|
||||
QmPeCMS31bJePyXLQY7wyeo+xK0uV0cyhNL8Oy6OF9bziJxkkxNhT8FqPbYnD4E7
|
||||
aGT+SGhGeKWGILBbDIGD+XDMy2S3SjHUIUdVB0T95O7D0IrQqQUoVwZjDvrxRrdP
|
||||
mXIvWePatyAYpwukYwVDtB2hj3vxZRuW90HGdRpEeWO/W/3Fm91Lxbgw95J/2IQl
|
||||
wpTteCGAIa74ez4nYGlEIvWmw0x8eiFty6tDAoDkVYuGH9wzQek5X+Ih3MVbYPR3
|
||||
prciyU9OFoAI/asm3T04Kq50nO7tVSZrLVw+x776BkziZJ2rofib4qeQBS/0vc6m
|
||||
jcuyY0zbZAb2Tl9aoKmdAYFIsWxhVNr6/NjaZbxDdirs8aV4sIw+xBTo+C6aP9eS
|
||||
vX30K3Fuycl3hJ9g+Idvw21kpvApbArQztiPk/DwJMoyfSQvDCiX1mS3QX3FXjZN
|
||||
P/PIvEd19T5ODde4Ae2eCQk8dxNKqvE/X5F48K0dZT3blAgYhEJW02ydz11M+1Z/
|
||||
q5Iu+LRnAsSk0yD1WjfkKIDHIQTaqsGGKsCUIfrImT09k/qJt8Wn/r7DRX5GVvX5
|
||||
rSU0941KQhYc5ffYgiLG0xQcRDKqZKlIWJtUth1rpXbQhO8uZya1O7xlaOCn1aXn
|
||||
Cc+B5t8Y12ohipRNTvoC
|
||||
=vpdj
|
||||
-----END PGP SIGNATURE-----
|
263
share/security/patches/SA-14:17/kmem.patch
Normal file
263
share/security/patches/SA-14:17/kmem.patch
Normal file
|
@ -0,0 +1,263 @@
|
|||
Index: sys/kern/uipc_sockbuf.c
|
||||
===================================================================
|
||||
--- sys/kern/uipc_sockbuf.c (revision 268273)
|
||||
+++ sys/kern/uipc_sockbuf.c (working copy)
|
||||
@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
|
||||
m->m_len = 0;
|
||||
KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
|
||||
("sbcreatecontrol: short mbuf"));
|
||||
+ /*
|
||||
+ * Don't leave the padding between the msg header and the
|
||||
+ * cmsg data and the padding after the cmsg data un-initialized.
|
||||
+ */
|
||||
+ bzero(cp, CMSG_SPACE((u_int)size));
|
||||
if (p != NULL)
|
||||
(void)memcpy(CMSG_DATA(cp), p, size);
|
||||
m->m_len = CMSG_SPACE(size);
|
||||
Index: sys/netinet/sctp_auth.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctp_auth.c (revision 268273)
|
||||
+++ sys/netinet/sctp_auth.c (working copy)
|
||||
@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
|
||||
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
auth = mtod(m_notify, struct sctp_authkey_event *);
|
||||
+ memset(auth, 0, sizeof(struct sctp_authkey_event));
|
||||
auth->auth_type = SCTP_AUTHENTICATION_EVENT;
|
||||
auth->auth_flags = 0;
|
||||
auth->auth_length = sizeof(*auth);
|
||||
Index: sys/netinet/sctp_indata.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctp_indata.c (revision 268273)
|
||||
+++ sys/netinet/sctp_indata.c (working copy)
|
||||
@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
|
||||
|
||||
/* We need a CMSG header followed by the struct */
|
||||
cmh = mtod(ret, struct cmsghdr *);
|
||||
+ /*
|
||||
+ * Make sure that there is no un-initialized padding between the
|
||||
+ * cmsg header and cmsg data and after the cmsg data.
|
||||
+ */
|
||||
+ memset(cmh, 0, len);
|
||||
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
|
||||
cmh->cmsg_level = IPPROTO_SCTP;
|
||||
cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
|
||||
Index: sys/netinet/sctputil.c
|
||||
===================================================================
|
||||
--- sys/netinet/sctputil.c (revision 268273)
|
||||
+++ sys/netinet/sctputil.c (working copy)
|
||||
@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
|
||||
}
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
sac = mtod(m_notify, struct sctp_assoc_change *);
|
||||
+ memset(sac, 0, notif_len);
|
||||
sac->sac_type = SCTP_ASSOC_CHANGE;
|
||||
sac->sac_flags = 0;
|
||||
sac->sac_length = sizeof(struct sctp_assoc_change);
|
||||
@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
- length += chk->send_size;
|
||||
- length -= sizeof(struct sctp_data_chunk);
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
|
||||
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
|
||||
+ memset(ssfe, 0, length);
|
||||
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
|
||||
if (sent) {
|
||||
ssfe->ssfe_flags = SCTP_DATA_SENT;
|
||||
@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
} else {
|
||||
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
|
||||
}
|
||||
+ length += chk->send_size;
|
||||
+ length -= sizeof(struct sctp_data_chunk);
|
||||
ssfe->ssfe_length = length;
|
||||
ssfe->ssfe_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
|
||||
ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
|
||||
ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
|
||||
ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
|
||||
@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
|
||||
} else {
|
||||
ssf = mtod(m_notify, struct sctp_send_failed *);
|
||||
+ memset(ssf, 0, length);
|
||||
ssf->ssf_type = SCTP_SEND_FAILED;
|
||||
if (sent) {
|
||||
ssf->ssf_flags = SCTP_DATA_SENT;
|
||||
@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
|
||||
} else {
|
||||
ssf->ssf_flags = SCTP_DATA_UNSENT;
|
||||
}
|
||||
+ length += chk->send_size;
|
||||
+ length -= sizeof(struct sctp_data_chunk);
|
||||
ssf->ssf_length = length;
|
||||
ssf->ssf_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
|
||||
/* no space left */
|
||||
return;
|
||||
}
|
||||
- length += sp->length;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
|
||||
ssfe = mtod(m_notify, struct sctp_send_failed_event *);
|
||||
+ memset(ssfe, 0, length);
|
||||
ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
|
||||
ssfe->ssfe_flags = SCTP_DATA_UNSENT;
|
||||
+ length += sp->length;
|
||||
ssfe->ssfe_length = length;
|
||||
ssfe->ssfe_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
|
||||
ssfe->ssfe_info.snd_sid = sp->stream;
|
||||
if (sp->some_taken) {
|
||||
ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
|
||||
@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
|
||||
SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
|
||||
} else {
|
||||
ssf = mtod(m_notify, struct sctp_send_failed *);
|
||||
+ memset(ssf, 0, length);
|
||||
ssf->ssf_type = SCTP_SEND_FAILED;
|
||||
ssf->ssf_flags = SCTP_DATA_UNSENT;
|
||||
+ length += sp->length;
|
||||
ssf->ssf_length = length;
|
||||
ssf->ssf_error = error;
|
||||
/* not exactly what the user sent in, but should be close :) */
|
||||
- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
|
||||
ssf->ssf_info.sinfo_stream = sp->stream;
|
||||
ssf->ssf_info.sinfo_ssn = 0;
|
||||
if (sp->some_taken) {
|
||||
@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
sai = mtod(m_notify, struct sctp_adaptation_event *);
|
||||
+ memset(sai, 0, sizeof(struct sctp_adaptation_event));
|
||||
sai->sai_type = SCTP_ADAPTATION_INDICATION;
|
||||
sai->sai_flags = 0;
|
||||
sai->sai_length = sizeof(struct sctp_adaptation_event);
|
||||
@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
pdapi = mtod(m_notify, struct sctp_pdapi_event *);
|
||||
+ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
|
||||
pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
|
||||
pdapi->pdapi_flags = 0;
|
||||
pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
|
||||
@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
|
||||
/* no space left */
|
||||
return;
|
||||
sse = mtod(m_notify, struct sctp_shutdown_event *);
|
||||
+ memset(sse, 0, sizeof(struct sctp_shutdown_event));
|
||||
sse->sse_type = SCTP_SHUTDOWN_EVENT;
|
||||
sse->sse_flags = 0;
|
||||
sse->sse_length = sizeof(struct sctp_shutdown_event);
|
||||
@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
|
||||
}
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
event = mtod(m_notify, struct sctp_sender_dry_event *);
|
||||
+ memset(event, 0, sizeof(struct sctp_sender_dry_event));
|
||||
event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
|
||||
event->sender_dry_flags = 0;
|
||||
event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
|
||||
@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
|
||||
struct mbuf *m_notify;
|
||||
struct sctp_queued_to_read *control;
|
||||
struct sctp_stream_change_event *stradd;
|
||||
- int len;
|
||||
|
||||
if ((stcb == NULL) ||
|
||||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
|
||||
@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
|
||||
return;
|
||||
}
|
||||
stcb->asoc.peer_req_out = 0;
|
||||
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
|
||||
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_NOWAIT, 1, MT_DATA);
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
- len = sizeof(struct sctp_stream_change_event);
|
||||
- if (len > M_TRAILINGSPACE(m_notify)) {
|
||||
- /* never enough room */
|
||||
- sctp_m_freem(m_notify);
|
||||
- return;
|
||||
- }
|
||||
stradd = mtod(m_notify, struct sctp_stream_change_event *);
|
||||
+ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
|
||||
stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
|
||||
stradd->strchange_flags = flag;
|
||||
- stradd->strchange_length = len;
|
||||
+ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
|
||||
stradd->strchange_assoc_id = sctp_get_associd(stcb);
|
||||
stradd->strchange_instrms = numberin;
|
||||
stradd->strchange_outstrms = numberout;
|
||||
- SCTP_BUF_LEN(m_notify) = len;
|
||||
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
|
||||
/* no space */
|
||||
@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
|
||||
struct mbuf *m_notify;
|
||||
struct sctp_queued_to_read *control;
|
||||
struct sctp_assoc_reset_event *strasoc;
|
||||
- int len;
|
||||
|
||||
if ((stcb == NULL) ||
|
||||
(sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
|
||||
@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
|
||||
/* event not enabled */
|
||||
return;
|
||||
}
|
||||
- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
|
||||
+ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA);
|
||||
if (m_notify == NULL)
|
||||
/* no space left */
|
||||
return;
|
||||
SCTP_BUF_LEN(m_notify) = 0;
|
||||
- len = sizeof(struct sctp_assoc_reset_event);
|
||||
- if (len > M_TRAILINGSPACE(m_notify)) {
|
||||
- /* never enough room */
|
||||
- sctp_m_freem(m_notify);
|
||||
- return;
|
||||
- }
|
||||
strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
|
||||
+ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
|
||||
strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
|
||||
strasoc->assocreset_flags = flag;
|
||||
- strasoc->assocreset_length = len;
|
||||
+ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
|
||||
strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
|
||||
strasoc->assocreset_local_tsn = sending_tsn;
|
||||
strasoc->assocreset_remote_tsn = recv_tsn;
|
||||
- SCTP_BUF_LEN(m_notify) = len;
|
||||
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
|
||||
SCTP_BUF_NEXT(m_notify) = NULL;
|
||||
if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
|
||||
/* no space */
|
||||
@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
|
||||
return;
|
||||
}
|
||||
strreset = mtod(m_notify, struct sctp_stream_reset_event *);
|
||||
+ memset(strreset, 0, len);
|
||||
strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
|
||||
strreset->strreset_flags = flag;
|
||||
strreset->strreset_length = len;
|
||||
@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so,
|
||||
fromlen = 0;
|
||||
}
|
||||
|
||||
+ if (filling_sinfo) {
|
||||
+ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
|
||||
+ }
|
||||
error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
|
||||
(struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
|
||||
- if ((controlp) && (filling_sinfo)) {
|
||||
+ if (controlp != NULL) {
|
||||
/* copy back the sinfo in a CMSG format */
|
||||
if (filling_sinfo)
|
||||
*controlp = sctp_build_ctl_nchunk(inp,
|
17
share/security/patches/SA-14:17/kmem.patch.asc
Normal file
17
share/security/patches/SA-14:17/kmem.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTvG1sAAoJEO1n7NZdz2rnm6AP/joogW8tONA14xFRCOv2dT9g
|
||||
iJUIfrSukkdUZLEpH/HL7Wy9nuyd1DXX0Y+pO2EMtavMqAAsm9EcjWr0FmBwVc7l
|
||||
psB9HvSecCNXcl0ezUG19iW+2eadlpU0+4Uoo3Mg2vv+SYVlywNVFSkra4Qey0DM
|
||||
+PgrkaBotDUl04lBD5rewD8JYuDirhMhI1H6x/elyqi+t0yp4g/6AdC8p2N6uAB+
|
||||
5+ZR9Ucj8h75/zzqBBTN8+Tu6I/0VTfs296egxUApPFrKilIYEwVUKFP6tQhbCSJ
|
||||
r2s+CmkqHWbtwgWWQRZGgbKbbjQYz6rumvag6zU7+bwZJpkIyxBan5DLXRpOVTIs
|
||||
vy0MrbP2syh8PVhdlzOHVkif8fRQl6lRufWqYQmSv6r+JtPzVuG+drewG56qxrOq
|
||||
hbDqAdeIQoHhMUHrH+IXTpdMFYywiYhXm0nt0w2bB9gcwbJd/mg/aQZUc3Vpp20k
|
||||
exysXZdC32Hp4gzYMStV7Ddv6HyOhI3RkFAcGE5BKgOIsjT+aMiLJnUxzTUGor/0
|
||||
ppge7FDEoEvgyCJbxyMDt3jN5DvA7bjDOmjATLex/Oo2Ah/BHlcAwDXp4rqsnoKy
|
||||
F9rsPJkEjRwh4jZo47+HQCtJ5DEqUnhdZz3Ps7Az0AN/T7wORP5/tYkrb9IFNNGh
|
||||
Rzz+HVMAuFutlwhFPJKf
|
||||
=Oql4
|
||||
-----END PGP SIGNATURE-----
|
|
@ -7,6 +7,18 @@
|
|||
<year>
|
||||
<name>2014</name>
|
||||
|
||||
<month>
|
||||
<name>7</name>
|
||||
|
||||
<day>
|
||||
<name>8</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-14:17.kmem</name>
|
||||
</advisory>
|
||||
</day>
|
||||
</month>
|
||||
|
||||
<month>
|
||||
<name>6</name>
|
||||
|
||||
|
|
|
@ -7,6 +7,18 @@
|
|||
<year>
|
||||
<name>2014</name>
|
||||
|
||||
<month>
|
||||
<name>7</name>
|
||||
|
||||
<day>
|
||||
<name>8</name>
|
||||
|
||||
<notice>
|
||||
<name>FreeBSD-EN-14:09.jail</name>
|
||||
</notice>
|
||||
</day>
|
||||
</month>
|
||||
|
||||
<month>
|
||||
<name>6</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue