svn commit: r270965 - in user/cperciva/freebsd-update-build/patches: 10.0-RELEASE 8.4-RELEASE 9.1-RELEASE 9.2-RELEASE
Xin LI
delphij at FreeBSD.org
Tue Sep 2 14:08:28 UTC 2014
Author: delphij
Date: Tue Sep 2 14:08:27 2014
New Revision: 270965
URL: http://svnweb.freebsd.org/changeset/base/270965
Log:
Add patches for 2014-07-08 batch.
Added:
user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem
user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail
user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:17.kmem
user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem
user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem
Added: user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965)
@@ -0,0 +1,263 @@
+Index: sys/kern/uipc_sockbuf.c
+===================================================================
+--- sys/kern/uipc_sockbuf.c (revision 268273)
++++ sys/kern/uipc_sockbuf.c (working copy)
+@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
+ m->m_len = 0;
+ KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ ("sbcreatecontrol: short mbuf"));
++ /*
++ * Don't leave the padding between the msg header and the
++ * cmsg data and the padding after the cmsg data un-initialized.
++ */
++ bzero(cp, CMSG_SPACE((u_int)size));
+ if (p != NULL)
+ (void)memcpy(CMSG_DATA(cp), p, size);
+ m->m_len = CMSG_SPACE(size);
+Index: sys/netinet/sctp_auth.c
+===================================================================
+--- sys/netinet/sctp_auth.c (revision 268273)
++++ sys/netinet/sctp_auth.c (working copy)
+@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
+
+ SCTP_BUF_LEN(m_notify) = 0;
+ auth = mtod(m_notify, struct sctp_authkey_event *);
++ memset(auth, 0, sizeof(struct sctp_authkey_event));
+ auth->auth_type = SCTP_AUTHENTICATION_EVENT;
+ auth->auth_flags = 0;
+ auth->auth_length = sizeof(*auth);
+Index: sys/netinet/sctp_indata.c
+===================================================================
+--- sys/netinet/sctp_indata.c (revision 268273)
++++ sys/netinet/sctp_indata.c (working copy)
+@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
+
+ /* We need a CMSG header followed by the struct */
+ cmh = mtod(ret, struct cmsghdr *);
++ /*
++ * Make sure that there is no un-initialized padding between the
++ * cmsg header and cmsg data and after the cmsg data.
++ */
++ memset(cmh, 0, len);
+ if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
+ cmh->cmsg_level = IPPROTO_SCTP;
+ cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
+Index: sys/netinet/sctputil.c
+===================================================================
+--- sys/netinet/sctputil.c (revision 268273)
++++ sys/netinet/sctputil.c (working copy)
+@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
+ }
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ sac = mtod(m_notify, struct sctp_assoc_change *);
++ memset(sac, 0, notif_len);
+ sac->sac_type = SCTP_ASSOC_CHANGE;
+ sac->sac_flags = 0;
+ sac->sac_length = sizeof(struct sctp_assoc_change);
+@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+- length += chk->send_size;
+- length -= sizeof(struct sctp_data_chunk);
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ if (sent) {
+ ssfe->ssfe_flags = SCTP_DATA_SENT;
+@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
+ ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
+ ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
+@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ if (sent) {
+ ssf->ssf_flags = SCTP_DATA_SENT;
+@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ /* no space left */
+ return;
+ }
+- length += sp->length;
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = sp->stream;
+ if (sp->some_taken) {
+ ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
+@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
+ ssf->ssf_info.sinfo_stream = sp->stream;
+ ssf->ssf_info.sinfo_ssn = 0;
+ if (sp->some_taken) {
+@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ sai = mtod(m_notify, struct sctp_adaptation_event *);
++ memset(sai, 0, sizeof(struct sctp_adaptation_event));
+ sai->sai_type = SCTP_ADAPTATION_INDICATION;
+ sai->sai_flags = 0;
+ sai->sai_length = sizeof(struct sctp_adaptation_event);
+@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ pdapi = mtod(m_notify, struct sctp_pdapi_event *);
++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
+ pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
+ pdapi->pdapi_flags = 0;
+ pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
+@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
+ /* no space left */
+ return;
+ sse = mtod(m_notify, struct sctp_shutdown_event *);
++ memset(sse, 0, sizeof(struct sctp_shutdown_event));
+ sse->sse_type = SCTP_SHUTDOWN_EVENT;
+ sse->sse_flags = 0;
+ sse->sse_length = sizeof(struct sctp_shutdown_event);
+@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
+ }
+ SCTP_BUF_LEN(m_notify) = 0;
+ event = mtod(m_notify, struct sctp_sender_dry_event *);
++ memset(event, 0, sizeof(struct sctp_sender_dry_event));
+ event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+ event->sender_dry_flags = 0;
+ event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_stream_change_event *stradd;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
+@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ return;
+ }
+ stcb->asoc.peer_req_out = 0;
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_NOWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_stream_change_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ stradd = mtod(m_notify, struct sctp_stream_change_event *);
++ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
+ stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
+ stradd->strchange_flags = flag;
+- stradd->strchange_length = len;
++ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
+ stradd->strchange_assoc_id = sctp_get_associd(stcb);
+ stradd->strchange_instrms = numberin;
+ stradd->strchange_outstrms = numberout;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_assoc_reset_event *strasoc;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
+@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ /* event not enabled */
+ return;
+ }
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_assoc_reset_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
+ strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
+ strasoc->assocreset_flags = flag;
+- strasoc->assocreset_length = len;
++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
+ strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
+ strasoc->assocreset_local_tsn = sending_tsn;
+ strasoc->assocreset_remote_tsn = recv_tsn;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
+ return;
+ }
+ strreset = mtod(m_notify, struct sctp_stream_reset_event *);
++ memset(strreset, 0, len);
+ strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
+ strreset->strreset_flags = flag;
+ strreset->strreset_length = len;
+@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so,
+ fromlen = 0;
+ }
+
++ if (filling_sinfo) {
++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
++ }
+ error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
+ (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
+- if ((controlp) && (filling_sinfo)) {
++ if (controlp != NULL) {
+ /* copy back the sinfo in a CMSG format */
+ if (filling_sinfo)
+ *controlp = sctp_build_ctl_nchunk(inp,
Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail Tue Sep 2 14:08:27 2014 (r270965)
@@ -0,0 +1,15 @@
+Index: etc/rc.d/jail
+===================================================================
+--- etc/rc.d/jail (revision 268273)
++++ etc/rc.d/jail (working copy)
+@@ -647,7 +647,9 @@ jail_start()
+ done
+
+ eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \
+- ip4.addr=\"${_addrl}\" ip6.addr=\"${_addr6l}\" ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1
++ ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \
++ ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \
++ </dev/null
+
+ if [ "$?" -eq 0 ] ; then
+ _jail_id=$(head -1 ${_tmp_jail})
Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:17.kmem
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965)
@@ -0,0 +1,263 @@
+Index: sys/kern/uipc_sockbuf.c
+===================================================================
+--- sys/kern/uipc_sockbuf.c (revision 268273)
++++ sys/kern/uipc_sockbuf.c (working copy)
+@@ -1045,6 +1045,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
+ m->m_len = 0;
+ KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ ("sbcreatecontrol: short mbuf"));
++ /*
++ * Don't leave the padding between the msg header and the
++ * cmsg data and the padding after the cmsg data un-initialized.
++ */
++ bzero(cp, CMSG_SPACE((u_int)size));
+ if (p != NULL)
+ (void)memcpy(CMSG_DATA(cp), p, size);
+ m->m_len = CMSG_SPACE(size);
+Index: sys/netinet/sctp_auth.c
+===================================================================
+--- sys/netinet/sctp_auth.c (revision 268273)
++++ sys/netinet/sctp_auth.c (working copy)
+@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
+
+ SCTP_BUF_LEN(m_notify) = 0;
+ auth = mtod(m_notify, struct sctp_authkey_event *);
++ memset(auth, 0, sizeof(struct sctp_authkey_event));
+ auth->auth_type = SCTP_AUTHENTICATION_EVENT;
+ auth->auth_flags = 0;
+ auth->auth_length = sizeof(*auth);
+Index: sys/netinet/sctp_indata.c
+===================================================================
+--- sys/netinet/sctp_indata.c (revision 268273)
++++ sys/netinet/sctp_indata.c (working copy)
+@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
+
+ /* We need a CMSG header followed by the struct */
+ cmh = mtod(ret, struct cmsghdr *);
++ /*
++ * Make sure that there is no un-initialized padding between the
++ * cmsg header and cmsg data and after the cmsg data.
++ */
++ memset(cmh, 0, len);
+ if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
+ cmh->cmsg_level = IPPROTO_SCTP;
+ cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
+Index: sys/netinet/sctputil.c
+===================================================================
+--- sys/netinet/sctputil.c (revision 268273)
++++ sys/netinet/sctputil.c (working copy)
+@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
+ }
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ sac = mtod(m_notify, struct sctp_assoc_change *);
++ memset(sac, 0, notif_len);
+ sac->sac_type = SCTP_ASSOC_CHANGE;
+ sac->sac_flags = 0;
+ sac->sac_length = sizeof(struct sctp_assoc_change);
+@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+- length += chk->send_size;
+- length -= sizeof(struct sctp_data_chunk);
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ if (sent) {
+ ssfe->ssfe_flags = SCTP_DATA_SENT;
+@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
+ ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
+ ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
+@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ if (sent) {
+ ssf->ssf_flags = SCTP_DATA_SENT;
+@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ /* no space left */
+ return;
+ }
+- length += sp->length;
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = sp->stream;
+ if (sp->some_taken) {
+ ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
+@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
+ ssf->ssf_info.sinfo_stream = sp->stream;
+ ssf->ssf_info.sinfo_ssn = 0;
+ if (sp->some_taken) {
+@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ sai = mtod(m_notify, struct sctp_adaptation_event *);
++ memset(sai, 0, sizeof(struct sctp_adaptation_event));
+ sai->sai_type = SCTP_ADAPTATION_INDICATION;
+ sai->sai_flags = 0;
+ sai->sai_length = sizeof(struct sctp_adaptation_event);
+@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ pdapi = mtod(m_notify, struct sctp_pdapi_event *);
++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
+ pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
+ pdapi->pdapi_flags = 0;
+ pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
+@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
+ /* no space left */
+ return;
+ sse = mtod(m_notify, struct sctp_shutdown_event *);
++ memset(sse, 0, sizeof(struct sctp_shutdown_event));
+ sse->sse_type = SCTP_SHUTDOWN_EVENT;
+ sse->sse_flags = 0;
+ sse->sse_length = sizeof(struct sctp_shutdown_event);
+@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
+ }
+ SCTP_BUF_LEN(m_notify) = 0;
+ event = mtod(m_notify, struct sctp_sender_dry_event *);
++ memset(event, 0, sizeof(struct sctp_sender_dry_event));
+ event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+ event->sender_dry_flags = 0;
+ event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_stream_change_event *stradd;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
+@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ return;
+ }
+ stcb->asoc.peer_req_out = 0;
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_stream_change_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ stradd = mtod(m_notify, struct sctp_stream_change_event *);
++ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
+ stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
+ stradd->strchange_flags = flag;
+- stradd->strchange_length = len;
++ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
+ stradd->strchange_assoc_id = sctp_get_associd(stcb);
+ stradd->strchange_instrms = numberin;
+ stradd->strchange_outstrms = numberout;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_assoc_reset_event *strasoc;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
+@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ /* event not enabled */
+ return;
+ }
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_assoc_reset_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
+ strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
+ strasoc->assocreset_flags = flag;
+- strasoc->assocreset_length = len;
++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
+ strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
+ strasoc->assocreset_local_tsn = sending_tsn;
+ strasoc->assocreset_remote_tsn = recv_tsn;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
+ return;
+ }
+ strreset = mtod(m_notify, struct sctp_stream_reset_event *);
++ memset(strreset, 0, len);
+ strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
+ strreset->strreset_flags = flag;
+ strreset->strreset_length = len;
+@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so,
+ fromlen = 0;
+ }
+
++ if (filling_sinfo) {
++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
++ }
+ error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
+ (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
+- if ((controlp) && (filling_sinfo)) {
++ if (controlp != NULL) {
+ /* copy back the sinfo in a CMSG format */
+ if (filling_sinfo)
+ *controlp = sctp_build_ctl_nchunk(inp,
Added: user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965)
@@ -0,0 +1,263 @@
+Index: sys/kern/uipc_sockbuf.c
+===================================================================
+--- sys/kern/uipc_sockbuf.c (revision 268273)
++++ sys/kern/uipc_sockbuf.c (working copy)
+@@ -1011,6 +1011,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
+ m->m_len = 0;
+ KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ ("sbcreatecontrol: short mbuf"));
++ /*
++ * Don't leave the padding between the msg header and the
++ * cmsg data and the padding after the cmsg data un-initialized.
++ */
++ bzero(cp, CMSG_SPACE((u_int)size));
+ if (p != NULL)
+ (void)memcpy(CMSG_DATA(cp), p, size);
+ m->m_len = CMSG_SPACE(size);
+Index: sys/netinet/sctp_auth.c
+===================================================================
+--- sys/netinet/sctp_auth.c (revision 268273)
++++ sys/netinet/sctp_auth.c (working copy)
+@@ -1876,6 +1876,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
+
+ SCTP_BUF_LEN(m_notify) = 0;
+ auth = mtod(m_notify, struct sctp_authkey_event *);
++ memset(auth, 0, sizeof(struct sctp_authkey_event));
+ auth->auth_type = SCTP_AUTHENTICATION_EVENT;
+ auth->auth_flags = 0;
+ auth->auth_length = sizeof(*auth);
+Index: sys/netinet/sctp_indata.c
+===================================================================
+--- sys/netinet/sctp_indata.c (revision 268273)
++++ sys/netinet/sctp_indata.c (working copy)
+@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
+
+ /* We need a CMSG header followed by the struct */
+ cmh = mtod(ret, struct cmsghdr *);
++ /*
++ * Make sure that there is no un-initialized padding between the
++ * cmsg header and cmsg data and after the cmsg data.
++ */
++ memset(cmh, 0, len);
+ if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
+ cmh->cmsg_level = IPPROTO_SCTP;
+ cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
+Index: sys/netinet/sctputil.c
+===================================================================
+--- sys/netinet/sctputil.c (revision 268273)
++++ sys/netinet/sctputil.c (working copy)
+@@ -2628,6 +2628,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
+ }
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ sac = mtod(m_notify, struct sctp_assoc_change *);
++ memset(sac, 0, notif_len);
+ sac->sac_type = SCTP_ASSOC_CHANGE;
+ sac->sac_flags = 0;
+ sac->sac_length = sizeof(struct sctp_assoc_change);
+@@ -2834,11 +2835,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+- length += chk->send_size;
+- length -= sizeof(struct sctp_data_chunk);
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ if (sent) {
+ ssfe->ssfe_flags = SCTP_DATA_SENT;
+@@ -2845,10 +2845,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
+ ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
+ ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
+@@ -2858,6 +2859,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ if (sent) {
+ ssf->ssf_flags = SCTP_DATA_SENT;
+@@ -2864,6 +2866,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+@@ -2947,16 +2951,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ /* no space left */
+ return;
+ }
+- length += sp->length;
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = sp->stream;
+ if (sp->some_taken) {
+ ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
+@@ -2970,12 +2974,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
+ ssf->ssf_info.sinfo_stream = sp->stream;
+ ssf->ssf_info.sinfo_ssn = sp->strseq;
+ if (sp->some_taken) {
+@@ -3037,6 +3042,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ sai = mtod(m_notify, struct sctp_adaptation_event *);
++ memset(sai, 0, sizeof(struct sctp_adaptation_event));
+ sai->sai_type = SCTP_ADAPTATION_INDICATION;
+ sai->sai_flags = 0;
+ sai->sai_length = sizeof(struct sctp_adaptation_event);
+@@ -3092,6 +3098,7 @@ sctp_notify_partial_delivery_indication(struct sct
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ pdapi = mtod(m_notify, struct sctp_pdapi_event *);
++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
+ pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
+ pdapi->pdapi_flags = 0;
+ pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
+@@ -3201,6 +3208,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
+ /* no space left */
+ return;
+ sse = mtod(m_notify, struct sctp_shutdown_event *);
++ memset(sse, 0, sizeof(struct sctp_shutdown_event));
+ sse->sse_type = SCTP_SHUTDOWN_EVENT;
+ sse->sse_flags = 0;
+ sse->sse_length = sizeof(struct sctp_shutdown_event);
+@@ -3251,6 +3259,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
+ }
+ SCTP_BUF_LEN(m_notify) = 0;
+ event = mtod(m_notify, struct sctp_sender_dry_event *);
++ memset(event, 0, sizeof(struct sctp_sender_dry_event));
+ event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+ event->sender_dry_flags = 0;
+ event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+@@ -3283,7 +3292,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_stream_change_event *stradd;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
+@@ -3296,25 +3304,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ return;
+ }
+ stcb->asoc.peer_req_out = 0;
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_stream_change_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ stradd = mtod(m_notify, struct sctp_stream_change_event *);
++ memset(stradd, 0, sizeof(struct sctp_stream_change_event));
+ stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
+ stradd->strchange_flags = flag;
+- stradd->strchange_length = len;
++ stradd->strchange_length = sizeof(struct sctp_stream_change_event);
+ stradd->strchange_assoc_id = sctp_get_associd(stcb);
+ stradd->strchange_instrms = numberin;
+ stradd->strchange_outstrms = numberout;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3345,7 +3348,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_assoc_reset_event *strasoc;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
+@@ -3352,25 +3354,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ /* event not enabled */
+ return;
+ }
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+- len = sizeof(struct sctp_assoc_reset_event);
+- if (len > M_TRAILINGSPACE(m_notify)) {
+- /* never enough room */
+- sctp_m_freem(m_notify);
+- return;
+- }
+ strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
+ strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
+ strasoc->assocreset_flags = flag;
+- strasoc->assocreset_length = len;
++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
+ strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
+ strasoc->assocreset_local_tsn = sending_tsn;
+ strasoc->assocreset_remote_tsn = recv_tsn;
+- SCTP_BUF_LEN(m_notify) = len;
++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ /* no space */
+@@ -3423,6 +3420,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
+ return;
+ }
+ strreset = mtod(m_notify, struct sctp_stream_reset_event *);
++ memset(strreset, 0, len);
+ strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
+ strreset->strreset_flags = flag;
+ strreset->strreset_length = len;
+@@ -6261,9 +6259,12 @@ sctp_soreceive(struct socket *so,
+ fromlen = 0;
+ }
+
++ if (filling_sinfo) {
++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
++ }
+ error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
+ (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
+- if ((controlp) && (filling_sinfo)) {
++ if (controlp != NULL) {
+ /* copy back the sinfo in a CMSG format */
+ if (filling_sinfo)
+ *controlp = sctp_build_ctl_nchunk(inp,
Added: user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965)
@@ -0,0 +1,263 @@
+Index: sys/kern/uipc_sockbuf.c
+===================================================================
+--- sys/kern/uipc_sockbuf.c (revision 268273)
++++ sys/kern/uipc_sockbuf.c (working copy)
+@@ -1045,6 +1045,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
+ m->m_len = 0;
+ KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ ("sbcreatecontrol: short mbuf"));
++ /*
++ * Don't leave the padding between the msg header and the
++ * cmsg data and the padding after the cmsg data un-initialized.
++ */
++ bzero(cp, CMSG_SPACE((u_int)size));
+ if (p != NULL)
+ (void)memcpy(CMSG_DATA(cp), p, size);
+ m->m_len = CMSG_SPACE(size);
+Index: sys/netinet/sctp_auth.c
+===================================================================
+--- sys/netinet/sctp_auth.c (revision 268273)
++++ sys/netinet/sctp_auth.c (working copy)
+@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
+
+ SCTP_BUF_LEN(m_notify) = 0;
+ auth = mtod(m_notify, struct sctp_authkey_event *);
++ memset(auth, 0, sizeof(struct sctp_authkey_event));
+ auth->auth_type = SCTP_AUTHENTICATION_EVENT;
+ auth->auth_flags = 0;
+ auth->auth_length = sizeof(*auth);
+Index: sys/netinet/sctp_indata.c
+===================================================================
+--- sys/netinet/sctp_indata.c (revision 268273)
++++ sys/netinet/sctp_indata.c (working copy)
+@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
+
+ /* We need a CMSG header followed by the struct */
+ cmh = mtod(ret, struct cmsghdr *);
++ /*
++ * Make sure that there is no un-initialized padding between the
++ * cmsg header and cmsg data and after the cmsg data.
++ */
++ memset(cmh, 0, len);
+ if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
+ cmh->cmsg_level = IPPROTO_SCTP;
+ cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
+Index: sys/netinet/sctputil.c
+===================================================================
+--- sys/netinet/sctputil.c (revision 268273)
++++ sys/netinet/sctputil.c (working copy)
+@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
+ }
+ SCTP_BUF_NEXT(m_notify) = NULL;
+ sac = mtod(m_notify, struct sctp_assoc_change *);
++ memset(sac, 0, notif_len);
+ sac->sac_type = SCTP_ASSOC_CHANGE;
+ sac->sac_flags = 0;
+ sac->sac_length = sizeof(struct sctp_assoc_change);
+@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ if (m_notify == NULL)
+ /* no space left */
+ return;
+- length += chk->send_size;
+- length -= sizeof(struct sctp_data_chunk);
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ if (sent) {
+ ssfe->ssfe_flags = SCTP_DATA_SENT;
+@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
+ ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
+ ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
+@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ if (sent) {
+ ssf->ssf_flags = SCTP_DATA_SENT;
+@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ } else {
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
+ }
++ length += chk->send_size;
++ length -= sizeof(struct sctp_data_chunk);
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ /* no space left */
+ return;
+ }
+- length += sp->length;
+ SCTP_BUF_LEN(m_notify) = 0;
+ if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++ memset(ssfe, 0, length);
+ ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ ssfe->ssfe_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssfe->ssfe_length = length;
+ ssfe->ssfe_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ ssfe->ssfe_info.snd_sid = sp->stream;
+ if (sp->some_taken) {
+ ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
+@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ } else {
+ ssf = mtod(m_notify, struct sctp_send_failed *);
++ memset(ssf, 0, length);
+ ssf->ssf_type = SCTP_SEND_FAILED;
+ ssf->ssf_flags = SCTP_DATA_UNSENT;
++ length += sp->length;
+ ssf->ssf_length = length;
+ ssf->ssf_error = error;
+ /* not exactly what the user sent in, but should be close :) */
+- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
+ ssf->ssf_info.sinfo_stream = sp->stream;
+ ssf->ssf_info.sinfo_ssn = 0;
+ if (sp->some_taken) {
+@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ sai = mtod(m_notify, struct sctp_adaptation_event *);
++ memset(sai, 0, sizeof(struct sctp_adaptation_event));
+ sai->sai_type = SCTP_ADAPTATION_INDICATION;
+ sai->sai_flags = 0;
+ sai->sai_length = sizeof(struct sctp_adaptation_event);
+@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
+ return;
+ SCTP_BUF_LEN(m_notify) = 0;
+ pdapi = mtod(m_notify, struct sctp_pdapi_event *);
++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
+ pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
+ pdapi->pdapi_flags = 0;
+ pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
+@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
+ /* no space left */
+ return;
+ sse = mtod(m_notify, struct sctp_shutdown_event *);
++ memset(sse, 0, sizeof(struct sctp_shutdown_event));
+ sse->sse_type = SCTP_SHUTDOWN_EVENT;
+ sse->sse_flags = 0;
+ sse->sse_length = sizeof(struct sctp_shutdown_event);
+@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
+ }
+ SCTP_BUF_LEN(m_notify) = 0;
+ event = mtod(m_notify, struct sctp_sender_dry_event *);
++ memset(event, 0, sizeof(struct sctp_sender_dry_event));
+ event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+ event->sender_dry_flags = 0;
+ event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ struct mbuf *m_notify;
+ struct sctp_queued_to_read *control;
+ struct sctp_stream_change_event *stradd;
+- int len;
+
+ if ((stcb == NULL) ||
+ (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
+@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ return;
+ }
+ stcb->asoc.peer_req_out = 0;
+- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA);
+ if (m_notify == NULL)
+ /* no space left */
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-user
mailing list