Date: Thu, 30 Oct 2025 14:10:13 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 83f74730dba1 - stable/13 - altq: Clear stats structures in get_class_stats() Message-ID: <202510301410.59UEADBO085342@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=83f74730dba10190ee157be129d4dce46592ab2a commit 83f74730dba10190ee157be129d4dce46592ab2a Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-10-27 16:27:40 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2025-10-30 14:09:58 +0000 altq: Clear stats structures in get_class_stats() These structures are copied out to userspace, and it's possible to leak uninitialized stack bytes since these routines and their callers weren't careful to clear them first. Add memsets to avoid this. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reviewed by: kp, emaste MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D53342 (cherry picked from commit ff08916e9ac689e6ce734de72325fc2bd9495a35) --- sys/net/altq/altq_cbq.c | 2 ++ sys/net/altq/altq_fairq.c | 2 ++ sys/net/altq/altq_priq.c | 2 ++ 3 files changed, 6 insertions(+) diff --git a/sys/net/altq/altq_cbq.c b/sys/net/altq/altq_cbq.c index bcba09267289..07c61fccb19b 100644 --- a/sys/net/altq/altq_cbq.c +++ b/sys/net/altq/altq_cbq.c @@ -172,6 +172,8 @@ cbq_request(struct ifaltq *ifq, int req, void *arg) static void get_class_stats(class_stats_t *statsp, struct rm_class *cl) { + memset(statsp, 0, sizeof(*statsp)); + statsp->xmit_cnt = cl->stats_.xmit_cnt; statsp->drop_cnt = cl->stats_.drop_cnt; statsp->over = cl->stats_.over; diff --git a/sys/net/altq/altq_fairq.c b/sys/net/altq/altq_fairq.c index e20eea91b1a1..49046da24594 100644 --- a/sys/net/altq/altq_fairq.c +++ b/sys/net/altq/altq_fairq.c @@ -856,6 +856,8 @@ get_class_stats(struct fairq_classstats *sp, struct fairq_class *cl) { fairq_bucket_t *b; + memset(sp, 0, sizeof(*sp)); + sp->class_handle = cl->cl_handle; sp->qlimit = cl->cl_qlimit; sp->xmit_cnt = cl->cl_xmitcnt; diff --git a/sys/net/altq/altq_priq.c b/sys/net/altq/altq_priq.c index 32ebfdefbfbe..8023dc12e029 100644 --- a/sys/net/altq/altq_priq.c +++ b/sys/net/altq/altq_priq.c @@ -597,6 +597,8 @@ priq_purgeq(struct priq_class *cl) static void get_class_stats(struct priq_classstats *sp, struct priq_class *cl) { + memset(sp, 0, sizeof(*sp)); + sp->class_handle = cl->cl_handle; sp->qlength = qlen(cl->cl_q); sp->qlimit = qlimit(cl->cl_q);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510301410.59UEADBO085342>