From nobody Mon Dec 29 17:07:12 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dg2hK0R5sz6M3ls
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Mon, 29 Dec 2025 17:07:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dg2hJ3bZZz46h2
	for <dev-commits-src-branches@FreeBSD.org>; Mon, 29 Dec 2025 17:07:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1767028032;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=cVozPFnFpwqaLCKH296/FP9Dqa+EXcrNKrCYnZpnEcc=;
	b=y0loMwhVEr70YtaXkdRVhAtRDy3EiD+LibkHkKCaxwzKmE/AB311VYZpVzRlU+N5RW1xzL
	5fW2IqbxxcM1eTNPk3T2F52c+zjZ7JKcPSNUNJ9q0OR8oNNrGSsE3TOlRQThVKoa09DEGg
	9cvfWPieXNXo+mRDVrW+VOdeyhHhHd81sVGuMB1vpQAupqQAuPHwzpWUBNJlq8rKppZedL
	Cj+aH0yP3mtvpaWyB5x8bUKJ8XU9SFnxtHXf/RDIw7RrdgjmmTijnXHTVntDUXjhT7KMes
	Efp8MwSWIwapb/gA0gn0F5NCI7LSRt9nrAuaQ7rYuLmwLBsZPJO7Dsp/wYtBzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1767028032;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=cVozPFnFpwqaLCKH296/FP9Dqa+EXcrNKrCYnZpnEcc=;
	b=WRJuvaUuG4KMOtKRIc3LcDC5/g/AEWok8krn2NycAPsNgw/Yj0wq99dmwL+5o7DBJKakES
	N8EXuVonus6oRHKcFjshwN+1UWDnvHH2LaPHq8BE4p7iyt5EHXki2anxLdBxXGHQIDhCjB
	m6hGF3E7wbIBvwjOLnBLmuPfRd9WA5Nyyso1X5O4meM5nyJIKCJ/Rm8kMI+/lv0S1E5xda
	ekIOwek78R1fY5q7WIdNoq9S0BYsgeaCOZi4BGmQgMZglJKN9p2ELq7TUDEYFKzOL6ANn5
	m6IpRasqRLzCt2CNawpkTADtNTJe/DgK+ZoX2hk/oMDIin/HVJhOJNxwvPx3mg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767028032; a=rsa-sha256; cv=none;
	b=iXT3cgGIj4QCTGoyUDo0kpMsKlajnxrJFK1e3YeKKhuR1AaOamFrqbTBiHmiTL0ovCpBmH
	nms1g506Hje8sdYjhEIGmTGtZGNKTE89WKMKAqAlp28zU/ImJ7il/Lj2oVm8Tege6BBBnK
	gis+LS/45wnBWXl2bgLh1WSzStnM6d3IbXbUv7AnGoOWIfV/tdi/nWL0fpXXZ5AAxr4bwh
	OnXC910FcJqGQSth+Y8UWUee+rnIOyN8gubzLwQMGdxDrn2G0Zyn65/JSnp/jSatHNpIqD
	6zgSomNU0LzAlJzvYIEN9TWBL0M0livsUwENubnK62/sGeEBYEhhur7WYhE4bg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dg2hJ39B4z7jc
	for <dev-commits-src-branches@FreeBSD.org>; Mon, 29 Dec 2025 17:07:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 26c1f
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 29 Dec 2025 17:07:12 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 0eb81bd89dcb - stable/15 - pfsync: Avoid zeroing the state export union
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 0eb81bd89dcbbf21ff4722aca01a7559dc7bcf9f
Auto-Submitted: auto-generated
Date: Mon, 29 Dec 2025 17:07:12 +0000
Message-Id: <6952b540.26c1f.3b0ae512@gitrepo.freebsd.org>

The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=0eb81bd89dcbbf21ff4722aca01a7559dc7bcf9f

commit 0eb81bd89dcbbf21ff4722aca01a7559dc7bcf9f
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-12-14 15:48:27 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-12-29 14:31:30 +0000

    pfsync: Avoid zeroing the state export union
    
    pfsync_state_export() takes a pointer to a union that is in reality a
    pointer to one of the three state formats (1301, 1400, 1500), and zeros
    the union.  The three formats do not have the same size, so zeroing is
    wrong when the format isn't that which has the largest size.
    
    Refactor a bit so that the zeroing happens at the layer where we know
    which format we're dealing with.
    
    Reported by:    CHERI
    Reviewed by:    kp
    MFC after:      1 week
    Sponsored by:   CHERI Research Centre (EPSRC grant UKRI3001)
    Differential Revision:  https://reviews.freebsd.org/D54163
    
    (cherry picked from commit 796abca7e281f0d4b7f72f48da4f941e1c8b139c)
---
 sys/net/pfvar.h            |  8 ++++++--
 sys/netpfil/pf/if_pfsync.c | 15 +++++++++------
 sys/netpfil/pf/pf_ioctl.c  | 33 +++++++++++++++++++++++++++------
 3 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 55b841f970ea..a6b2f8f11e0f 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1336,8 +1336,12 @@ VNET_DECLARE(pflow_export_state_t *,	pflow_export_state_ptr);
 #define V_pflow_export_state_ptr	VNET(pflow_export_state_ptr)
 extern pfsync_detach_ifnet_t	*pfsync_detach_ifnet_ptr;
 
-void			pfsync_state_export(union pfsync_state_union *,
-			    struct pf_kstate *, int);
+void			pfsync_state_export_1301(struct pfsync_state_1301 *,
+			    struct pf_kstate *);
+void			pfsync_state_export_1400(struct pfsync_state_1400 *,
+			    struct pf_kstate *);
+void			pfsync_state_export_1500(struct pfsync_state_1500 *,
+			    struct pf_kstate *);
 void			pf_state_export(struct pf_state_export *,
 			    struct pf_kstate *);
 
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index b571734b4250..3edf08aefeb5 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -1900,25 +1900,28 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 static void
 pfsync_out_state_1301(struct pf_kstate *st, void *buf)
 {
-	union pfsync_state_union *sp = buf;
+	struct pfsync_state_1301 *sp;
 
-	pfsync_state_export(sp, st, PFSYNC_MSG_VERSION_1301);
+	sp = buf;
+	pfsync_state_export_1301(sp, st);
 }
 
 static void
 pfsync_out_state_1400(struct pf_kstate *st, void *buf)
 {
-	union pfsync_state_union *sp = buf;
+	struct pfsync_state_1400 *sp;
 
-	pfsync_state_export(sp, st, PFSYNC_MSG_VERSION_1400);
+	sp = buf;
+	pfsync_state_export_1400(sp, st);
 }
 
 static void
 pfsync_out_state_1500(struct pf_kstate *st, void *buf)
 {
-	union pfsync_state_union *sp = buf;
+	struct pfsync_state_1500 *sp;
 
-	pfsync_state_export(sp, st, PFSYNC_MSG_VERSION_1500);
+	sp = buf;
+	pfsync_state_export_1500(sp, st);
 }
 
 static void
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 856bbd6cb9cb..e2b63965d1e1 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -4120,8 +4120,7 @@ DIOCCHANGERULE_error:
 			goto fail;
 		}
 
-		pfsync_state_export((union pfsync_state_union*)&ps->state,
-		    s, PFSYNC_MSG_VERSION_1301);
+		pfsync_state_export_1301(&ps->state, s);
 		PF_STATE_UNLOCK(s);
 		break;
 	}
@@ -4187,8 +4186,7 @@ DIOCGETSTATES_retry:
 				if (s->timeout == PFTM_UNLINKED)
 					continue;
 
-				pfsync_state_export((union pfsync_state_union*)p,
-				    s, PFSYNC_MSG_VERSION_1301);
+				pfsync_state_export_1301(p, s);
 				p++;
 				nr++;
 			}
@@ -5797,11 +5795,10 @@ fail:
 	return (error);
 }
 
-void
+static void
 pfsync_state_export(union pfsync_state_union *sp, struct pf_kstate *st, int msg_version)
 {
 	const char	*tagname;
-	bzero(sp, sizeof(union pfsync_state_union));
 
 	/* copy from state key */
 	sp->pfs_1301.key[PF_SK_WIRE].addr[0] = st->key[PF_SK_WIRE]->addr[0];
@@ -5934,6 +5931,30 @@ pfsync_state_export(union pfsync_state_union *sp, struct pf_kstate *st, int msg_
 	pf_state_counter_hton(st->bytes[1], sp->pfs_1301.bytes[1]);
 }
 
+void
+pfsync_state_export_1301(struct pfsync_state_1301 *sp, struct pf_kstate *st)
+{
+	bzero(sp, sizeof(*sp));
+	pfsync_state_export((union pfsync_state_union *)sp, st,
+	    PFSYNC_MSG_VERSION_1301);
+}
+
+void
+pfsync_state_export_1400(struct pfsync_state_1400 *sp, struct pf_kstate *st)
+{
+	bzero(sp, sizeof(*sp));
+	pfsync_state_export((union pfsync_state_union *)sp, st,
+	    PFSYNC_MSG_VERSION_1400);
+}
+
+void
+pfsync_state_export_1500(struct pfsync_state_1500 *sp, struct pf_kstate *st)
+{
+	bzero(sp, sizeof(*sp));
+	pfsync_state_export((union pfsync_state_union *)sp, st,
+	    PFSYNC_MSG_VERSION_1500);
+}
+
 void
 pf_state_export(struct pf_state_export *sp, struct pf_kstate *st)
 {