diff options
author | Mark Johnston <markj@FreeBSD.org> | 2022-01-20 20:42:46 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2022-01-20 20:42:46 +0000 |
commit | 6be8944d96d2cb5938b69c63b483efa616eafb56 (patch) | |
tree | 0a6221bc9859d1fbc6b6c288df19c2940473d9be | |
parent | d91d2b513eb30a226e87f0e52e2f9f232a2e1ca3 (diff) | |
download | src-6be8944d96d2cb5938b69c63b483efa616eafb56.tar.gz src-6be8944d96d2cb5938b69c63b483efa616eafb56.zip |
ktls: Zero out TLS_GET_RECORD control messages
Otherwise we end up copying one uninitialized byte into the socket
buffer.
Reported by: KMSAN
Reviewed by: jhb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33953
-rw-r--r-- | sys/dev/cxgbe/tom/t4_tls.c | 1 | ||||
-rw-r--r-- | sys/kern/uipc_ktls.c | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/sys/dev/cxgbe/tom/t4_tls.c b/sys/dev/cxgbe/tom/t4_tls.c index cd2a505e8346..06a21ade04c1 100644 --- a/sys/dev/cxgbe/tom/t4_tls.c +++ b/sys/dev/cxgbe/tom/t4_tls.c @@ -1052,6 +1052,7 @@ do_rx_tls_cmp(struct sge_iq *iq, const struct rss_header *rss, struct mbuf *m) tgr = (struct tls_get_record *) CMSG_DATA(mtod(control, struct cmsghdr *)); + memset(tgr, 0, sizeof(*tgr)); tgr->tls_type = tls_hdr_pkt->type; tgr->tls_vmajor = be16toh(tls_hdr_pkt->version) >> 8; tgr->tls_vminor = be16toh(tls_hdr_pkt->version) & 0xff; diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 5b37daf7d73b..5912db865ef6 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -2066,6 +2066,7 @@ ktls_decrypt(struct socket *so) } /* Allocate the control mbuf. */ + memset(&tgr, 0, sizeof(tgr)); tgr.tls_type = record_type; tgr.tls_vmajor = hdr->tls_vmajor; tgr.tls_vminor = hdr->tls_vminor; |