aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
diff options
context:
space:
mode:
authorAndrey V. Elsukov <ae@FreeBSD.org>2019-10-15 09:50:02 +0000
committerAndrey V. Elsukov <ae@FreeBSD.org>2019-10-15 09:50:02 +0000
commit51b159306584004fc4d4fba87d64d85f73007491 (patch)
treebf66d47aa3cd5347872303542e7be13977e0e547 /sbin/ipfw
parentabc23d5932ae92bdf32c7d39958049e0fa0ba259 (diff)
downloadsrc-51b159306584004fc4d4fba87d64d85f73007491.tar.gz
src-51b159306584004fc4d4fba87d64d85f73007491.zip
Explicitly initialize the memory buffer to store O_ICMP6TYPE opcode.
By default next_cmd() initializes only first u32 of opcode. O_ICMP6TYPE opcode has array of bit masks to store corresponding ICMPv6 types. An opcode that precedes O_ICMP6TYPE, e.g. O_IP6_DST, can have variable length and during opcode filling it can modify memory that will be used by O_ICMP6TYPE opcode. Without explicit initialization this leads to creation of wrong opcode. Reported by: Boris N. Lytochkin Obtained from: Yandex LLC MFC after: 3 days
Notes
Notes: svn path=/head/; revision=353545
Diffstat (limited to 'sbin/ipfw')
-rw-r--r--sbin/ipfw/ipv6.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/sbin/ipfw/ipv6.c b/sbin/ipfw/ipv6.c
index 7f30a1df7bcb..050cb6d42941 100644
--- a/sbin/ipfw/ipv6.c
+++ b/sbin/ipfw/ipv6.c
@@ -143,6 +143,7 @@ fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)
uint8_t type;
CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6));
+ memset(cmd, 0, sizeof(*cmd));
while (*av) {
if (*av == ',')
av++;