Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Jul 2022 14:09:29 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: b7806e7bae20 - stable/13 - ktls: Zero out TLS_GET_RECORD control messages
Message-ID:  <202207191409.26JE9TlI052037@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=b7806e7bae20553d479bc96fdfe7ae735072b9bd

commit b7806e7bae20553d479bc96fdfe7ae735072b9bd
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-01-20 20:42:46 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-07-19 13:53:41 +0000

    ktls: Zero out TLS_GET_RECORD control messages
    
    Otherwise we end up copying one uninitialized byte into the socket
    buffer.
    
    Reported by:    KMSAN
    Reviewed by:    jhb
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 6be8944d96d2cb5938b69c63b483efa616eafb56)
---
 sys/dev/cxgbe/tom/t4_tls.c | 1 +
 sys/kern/uipc_ktls.c       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/sys/dev/cxgbe/tom/t4_tls.c b/sys/dev/cxgbe/tom/t4_tls.c
index fdd6d43c796b..97bf3a016fb2 100644
--- a/sys/dev/cxgbe/tom/t4_tls.c
+++ b/sys/dev/cxgbe/tom/t4_tls.c
@@ -2157,6 +2157,7 @@ do_rx_tls_cmp(struct sge_iq *iq, const struct rss_header *rss, struct mbuf *m)
 
 		tgr = (struct tls_get_record *)
 		    CMSG_DATA(mtod(control, struct cmsghdr *));
+		memset(tgr, 0, sizeof(*tgr));
 		tgr->tls_type = tls_hdr_pkt->type;
 		tgr->tls_vmajor = be16toh(tls_hdr_pkt->version) >> 8;
 		tgr->tls_vminor = be16toh(tls_hdr_pkt->version) & 0xff;
diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index f6190e24a6b2..f60d5e0948d0 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -1986,6 +1986,7 @@ ktls_decrypt(struct socket *so)
 		}
 
 		/* Allocate the control mbuf. */
+		memset(&tgr, 0, sizeof(tgr));
 		tgr.tls_type = record_type;
 		tgr.tls_vmajor = hdr->tls_vmajor;
 		tgr.tls_vminor = hdr->tls_vminor;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202207191409.26JE9TlI052037>