git: 6be8944d96d2 - main - ktls: Zero out TLS_GET_RECORD control messages

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Thu, 20 Jan 2022 20:43:35 UTC

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=6be8944d96d2cb5938b69c63b483efa616eafb56

commit 6be8944d96d2cb5938b69c63b483efa616eafb56
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-01-20 20:42:46 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-01-20 20:42:46 +0000

    ktls: Zero out TLS_GET_RECORD control messages
    
    Otherwise we end up copying one uninitialized byte into the socket
    buffer.
    
    Reported by:    KMSAN
    Reviewed by:    jhb
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D33953
---
 sys/dev/cxgbe/tom/t4_tls.c | 1 +
 sys/kern/uipc_ktls.c       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/sys/dev/cxgbe/tom/t4_tls.c b/sys/dev/cxgbe/tom/t4_tls.c
index cd2a505e8346..06a21ade04c1 100644
--- a/sys/dev/cxgbe/tom/t4_tls.c
+++ b/sys/dev/cxgbe/tom/t4_tls.c
@@ -1052,6 +1052,7 @@ do_rx_tls_cmp(struct sge_iq *iq, const struct rss_header *rss, struct mbuf *m)
 
 	tgr = (struct tls_get_record *)
 	    CMSG_DATA(mtod(control, struct cmsghdr *));
+	memset(tgr, 0, sizeof(*tgr));
 	tgr->tls_type = tls_hdr_pkt->type;
 	tgr->tls_vmajor = be16toh(tls_hdr_pkt->version) >> 8;
 	tgr->tls_vminor = be16toh(tls_hdr_pkt->version) & 0xff;
diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index 5b37daf7d73b..5912db865ef6 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -2066,6 +2066,7 @@ ktls_decrypt(struct socket *so)
 		}
 
 		/* Allocate the control mbuf. */
+		memset(&tgr, 0, sizeof(tgr));
 		tgr.tls_type = record_type;
 		tgr.tls_vmajor = hdr->tls_vmajor;
 		tgr.tls_vminor = hdr->tls_vminor;