diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2023-01-17 14:36:54 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2023-01-17 14:36:54 +0000 |
| commit | d91be0f1211b0196a0087cdfa237a6a0d2a43b65 (patch) | |
| tree | 56908fa0c03f541572c3c8605855b0acab699c64 | |
| parent | e5f5ca7fee26179725ab2d66b5500d51fe8ae113 (diff) | |
| download | src-d91be0f1211b0196a0087cdfa237a6a0d2a43b65.tar.gz src-d91be0f1211b0196a0087cdfa237a6a0d2a43b65.zip | |
netlink: Zero-initialize mbuf messages
Some users of nlmsg_reserve_object() and nlmsg_reserve_data() are not
careful to fully initialize pad and reserved fields, allowing
uninitialized bytes to leak to userspace. For example, dump_nhgrp()
doesn't set nhm->resvd = 0.
Meanwhile, nlmsg_get_ns_buf() and nlmsg_get_ns_lbuf() zero-initialize
the buffer, so nlmsg_get_ns_mbuf() is inconsistent. Let's just make
them all behave the same here.
Reported by: KMSAN
Reviewed by: melifaro
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38098
| -rw-r--r-- | sys/netlink/netlink_message_writer.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netlink/netlink_message_writer.c b/sys/netlink/netlink_message_writer.c index 37414703c6f6..6573394eb881 100644 --- a/sys/netlink/netlink_message_writer.c +++ b/sys/netlink/netlink_message_writer.c @@ -215,6 +215,7 @@ nlmsg_get_ns_mbuf(struct nl_writer *nw, int size, bool waitok) nw->malloc_flag = mflag; nw->num_messages = 0; nw->enomem = false; + memset(nw->data, 0, size); NL_LOG(LOG_DEBUG2, "alloc mbuf %p req_len %d alloc_len %d data_ptr %p", m, size, nw->alloc_len, nw->data); return (true); |