Fix kernel memory disclosure in control message and SCTP notifications.

Security: FreeBSD-SA-14:17.kmem Security: CVE-2014-3952, CVE-2014-3953
author: delphij <delphij@FreeBSD.org> 2014-07-08 21:54:50 +0000
committer: delphij <delphij@FreeBSD.org> 2014-07-08 21:54:50 +0000
commit: 7642e9504ac0d63f22399949935c50539d80d459 (patch)
tree: 1ebd2b8a09ad088103bafe31a59e4825a7929382 /sys/netinet/sctp_indata.c
parent: abffff4ca73c5d2f27f90182ef9bf715bb532e05 (diff)
download: FreeBSD-src-7642e9504ac0d63f22399949935c50539d80d459.zip
FreeBSD-src-7642e9504ac0d63f22399949935c50539d80d459.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/netinet/sctp_indata.c b/sys/netinet/sctp_indata.c
index 52ba865..eac73e5 100644
--- a/sys/netinet/sctp_indata.c
+++ b/sys/netinet/sctp_indata.c
@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, struct sctp_sndrcvinfo *sinfo)
 
 	/* We need a CMSG header followed by the struct */
 	cmh = mtod(ret, struct cmsghdr *);
+	/*
+	 * Make sure that there is no un-initialized padding between the
+	 * cmsg header and cmsg data and after the cmsg data.
+	 */
+	memset(cmh, 0, len);
 	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
 		cmh->cmsg_level = IPPROTO_SCTP;
 		cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
author	delphij <delphij@FreeBSD.org>	2014-07-08 21:54:50 +0000
committer	delphij <delphij@FreeBSD.org>	2014-07-08 21:54:50 +0000
commit	7642e9504ac0d63f22399949935c50539d80d459 (patch)
tree	1ebd2b8a09ad088103bafe31a59e4825a7929382 /sys/netinet/sctp_indata.c
parent	abffff4ca73c5d2f27f90182ef9bf715bb532e05 (diff)
download	FreeBSD-src-7642e9504ac0d63f22399949935c50539d80d459.zip FreeBSD-src-7642e9504ac0d63f22399949935c50539d80d459.tar.gz