git: 9769eb9282ea - stable/14 - altq: Clear stats structures in get_class_stats()

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 04 Nov 2025 13:24:52 UTC 
The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=9769eb9282ea7cd27210076adf1946b9235aa916

commit 9769eb9282ea7cd27210076adf1946b9235aa916
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-10-27 16:27:40 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-11-04 13:24:42 +0000

    altq: Clear stats structures in get_class_stats()
    
    These structures are copied out to userspace, and it's possible to leak
    uninitialized stack bytes since these routines and their callers weren't
    careful to clear them first.  Add memsets to avoid this.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    kp, emaste
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53342
    
    (cherry picked from commit ff08916e9ac689e6ce734de72325fc2bd9495a35)
---
 sys/net/altq/altq_cbq.c   | 2 ++
 sys/net/altq/altq_fairq.c | 2 ++
 sys/net/altq/altq_priq.c  | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/sys/net/altq/altq_cbq.c b/sys/net/altq/altq_cbq.c
index fdf39690160b..2333b9ea8678 100644
--- a/sys/net/altq/altq_cbq.c
+++ b/sys/net/altq/altq_cbq.c
@@ -173,6 +173,8 @@ cbq_request(struct ifaltq *ifq, int req, void *arg)
 static void
 get_class_stats(class_stats_t *statsp, struct rm_class *cl)
 {
+	memset(statsp, 0, sizeof(*statsp));
+
 	statsp->xmit_cnt	= cl->stats_.xmit_cnt;
 	statsp->drop_cnt	= cl->stats_.drop_cnt;
 	statsp->over		= cl->stats_.over;
diff --git a/sys/net/altq/altq_fairq.c b/sys/net/altq/altq_fairq.c
index 6069865101a0..0a00168e547e 100644
--- a/sys/net/altq/altq_fairq.c
+++ b/sys/net/altq/altq_fairq.c
@@ -857,6 +857,8 @@ get_class_stats(struct fairq_classstats *sp, struct fairq_class *cl)
 {
 	fairq_bucket_t *b;
 
+	memset(sp, 0, sizeof(*sp));
+
 	sp->class_handle = cl->cl_handle;
 	sp->qlimit = cl->cl_qlimit;
 	sp->xmit_cnt = cl->cl_xmitcnt;
diff --git a/sys/net/altq/altq_priq.c b/sys/net/altq/altq_priq.c
index 026346639b2e..fec488418546 100644
--- a/sys/net/altq/altq_priq.c
+++ b/sys/net/altq/altq_priq.c
@@ -597,6 +597,8 @@ priq_purgeq(struct priq_class *cl)
 static void
 get_class_stats(struct priq_classstats *sp, struct priq_class *cl)
 {
+	memset(sp, 0, sizeof(*sp));
+
 	sp->class_handle = cl->cl_handle;
 	sp->qlength = qlen(cl->cl_q);
 	sp->qlimit = qlimit(cl->cl_q);