> Struct sockaddr_in and sockaddr_in6 should always be initialized
> to zero.
In the kernel, for sure. Just in case a bcmp is run by someone, or
a whole sockaddr is copied out to userland.
In userland, the policy is not quite the same. There (as guenther
has explained in various forums) the idea is that the kernel ignores
the uninitialized components, but provides zeroes for those values.
> Most of the kernel does this already, this diff fixes all
> other places there sin_family is assigned. Do not pass around
> pointers to uninitialized stack memory.
>
> There are some global route variables, I think the padding fields
> are always zero and do not change. I did not touch them.
>
> While there, the call to in6_recoverscope() in fill_drlist() looked
> very broken.
>
> I prefered memset() over bzero(), but if a source file was only
> using the latter, I have chosen this.
OK deraadt
> Index: net/pipex.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/pipex.c,v
> retrieving revision 1.72
> diff -u -p -r1.72 pipex.c
> --- net/pipex.c 16 Jul 2015 16:12:15 -0000 1.72
> +++ net/pipex.c 19 Aug 2015 19:02:39 -0000
> @@ -1736,12 +1736,14 @@ drop:
> struct pipex_session *
> pipex_pptp_userland_lookup_session_ipv4(struct mbuf *m0, struct in_addr dst)
> {
> - struct sockaddr_in sin4;
> + struct sockaddr_in sin;
>
> - sin4.sin_family = AF_INET;
> - sin4.sin_addr = dst;
> + memset(&sin, 0, sizeof(sin));
> + sin.sin_len = sizeof(sin);
> + sin.sin_family = AF_INET;
> + sin.sin_addr = dst;
>
> - return pipex_pptp_userland_lookup_session(m0, (struct sockaddr *)&sin4);
> + return pipex_pptp_userland_lookup_session(m0, sintosa(&sin));
> }
>
> #ifdef INET6
> @@ -1750,10 +1752,12 @@ pipex_pptp_userland_lookup_session_ipv6(
> {
> struct sockaddr_in6 sin6;
>
> + memset(&sin6, 0, sizeof(sin6));
> + sin6.sin6_len = sizeof(sin6);
> sin6.sin6_family = AF_INET6;
> in6_recoverscope(&sin6, &dst, NULL);
>
> - return pipex_pptp_userland_lookup_session(m0, (struct sockaddr *)&sin6);
> + return pipex_pptp_userland_lookup_session(m0, sin6tosa(&sin6));
> }
> #endif
>
> @@ -2168,12 +2172,14 @@ drop:
> struct pipex_session *
> pipex_l2tp_userland_lookup_session_ipv4(struct mbuf *m0, struct in_addr dst)
> {
> - struct sockaddr_in sin4;
> + struct sockaddr_in sin;
>
> - sin4.sin_family = AF_INET;
> - sin4.sin_addr = dst;
> + memset(&sin, 0, sizeof(sin));
> + sin.sin_len = sizeof(sin);
> + sin.sin_family = AF_INET;
> + sin.sin_addr = dst;
>
> - return pipex_l2tp_userland_lookup_session(m0, (struct sockaddr *)&sin4);
> + return pipex_l2tp_userland_lookup_session(m0, sintosa(&sin));
> }
>
> #ifdef INET6
> @@ -2182,10 +2188,12 @@ pipex_l2tp_userland_lookup_session_ipv6(
> {
> struct sockaddr_in6 sin6;
>
> + memset(&sin6, 0, sizeof(sin6));
> + sin6.sin6_len = sizeof(sin6);
> sin6.sin6_family = AF_INET6;
> in6_recoverscope(&sin6, &dst, NULL);
>
> - return pipex_l2tp_userland_lookup_session(m0, (struct sockaddr *)&sin6);
> + return pipex_l2tp_userland_lookup_session(m0, sin6tosa(&sin6));
> }
> #endif
>
> Index: netinet/in.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in.c,v
> retrieving revision 1.120
> diff -u -p -r1.120 in.c
> --- netinet/in.c 8 Jul 2015 07:56:51 -0000 1.120
> +++ netinet/in.c 19 Aug 2015 19:18:55 -0000
> @@ -809,7 +809,7 @@ in_addmulti(struct in_addr *ap, struct i
> * New address; allocate a new multicast record
> * and link it into the interface's multicast list.
> */
> - inm = malloc(sizeof(*inm), M_IPMADDR, M_NOWAIT);
> + inm = malloc(sizeof(*inm), M_IPMADDR, M_NOWAIT | M_ZERO);
> if (inm == NULL)
> return (NULL);
>
> @@ -824,6 +824,7 @@ in_addmulti(struct in_addr *ap, struct i
> * Ask the network driver to update its multicast reception
> * filter appropriately for the new address.
> */
> + memset(&ifr, 0, sizeof(ifr));
> memcpy(&ifr.ifr_addr, &inm->inm_sin, sizeof(inm->inm_sin));
> if ((*ifp->if_ioctl)(ifp, SIOCADDMULTI,(caddr_t)&ifr) != 0) {
> free(inm, M_IPMADDR, sizeof(*inm));
> @@ -867,6 +868,7 @@ in_delmulti(struct in_multi *inm)
> * reception filter.
> */
> if (ifp != NULL) {
> + memset(&ifr, 0, sizeof(ifr));
> satosin(&ifr.ifr_addr)->sin_len =
> sizeof(struct sockaddr_in);
> satosin(&ifr.ifr_addr)->sin_family = AF_INET;
> Index: netinet/ip_mroute.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_mroute.c,v
> retrieving revision 1.79
> diff -u -p -r1.79 ip_mroute.c
> --- netinet/ip_mroute.c 15 Jul 2015 17:55:08 -0000 1.79
> +++ netinet/ip_mroute.c 19 Aug 2015 19:25:51 -0000
> @@ -889,6 +889,7 @@ add_vif(struct mbuf *m)
> return (EOPNOTSUPP);
>
> /* Enable promiscuous reception of all IP multicasts. */
> + memset(&ifr, 0, sizeof(ifr));
> satosin(&ifr.ifr_addr)->sin_len = sizeof(struct sockaddr_in);
> satosin(&ifr.ifr_addr)->sin_family = AF_INET;
> satosin(&ifr.ifr_addr)->sin_addr = zeroin_addr;
> @@ -943,6 +944,7 @@ reset_vif(struct vif *vifp)
> reg_vif_num = VIFI_INVALID;
> #endif
> } else {
> + memset(&ifr, 0, sizeof(ifr));
> satosin(&ifr.ifr_addr)->sin_len = sizeof(struct sockaddr_in);
> satosin(&ifr.ifr_addr)->sin_family = AF_INET;
> satosin(&ifr.ifr_addr)->sin_addr = zeroin_addr;
> Index: netinet6/in6.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
> retrieving revision 1.165
> diff -u -p -r1.165 in6.c
> --- netinet6/in6.c 19 Aug 2015 13:27:38 -0000 1.165
> +++ netinet6/in6.c 19 Aug 2015 19:02:39 -0000
> @@ -868,7 +868,7 @@ in6_update_ifa(struct ifnet *ifp, struct
> * join interface-local all-nodes address.
> * (ff01::1%ifN, and ff01::%ifN/32)
> */
> - bzero(&mltaddr.sin6_addr, sizeof(mltaddr.sin6_addr));
> + bzero(&mltaddr, sizeof(mltaddr));
> mltaddr.sin6_len = sizeof(struct sockaddr_in6);
> mltaddr.sin6_family = AF_INET6;
> mltaddr.sin6_addr = in6addr_intfacelocal_allnodes;
> @@ -1346,7 +1346,7 @@ in6_addmulti(struct in6_addr *maddr6, st
> * New address; allocate a new multicast record
> * and link it into the interface's multicast list.
> */
> - in6m = malloc(sizeof(*in6m), M_IPMADDR, M_NOWAIT);
> + in6m = malloc(sizeof(*in6m), M_IPMADDR, M_NOWAIT | M_ZERO);
> if (in6m == NULL) {
> *errorp = ENOBUFS;
> return (NULL);
> Index: netinet6/ip6_mroute.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_mroute.c,v
> retrieving revision 1.86
> diff -u -p -r1.86 ip6_mroute.c
> --- netinet6/ip6_mroute.c 15 Jul 2015 17:56:05 -0000 1.86
> +++ netinet6/ip6_mroute.c 19 Aug 2015 19:02:39 -0000
> @@ -557,6 +557,7 @@ ip6_mrouter_done(void)
> for (mifi = 0; mifi < nummifs; mifi++) {
> if (mif6table[mifi].m6_ifp &&
> !(mif6table[mifi].m6_flags & MIFF_REGISTER)) {
> + memset(&ifr, 0, sizeof(ifr));
> ifr.ifr_addr.sin6_family = AF_INET6;
> ifr.ifr_addr.sin6_addr= in6addr_any;
> ifp = mif6table[mifi].m6_ifp;
> @@ -695,6 +696,7 @@ add_m6if(struct mif6ctl *mifcp)
> * Enable promiscuous reception of all IPv6 multicasts
> * from the interface.
> */
> + memset(&ifr, 0, sizeof(ifr));
> ifr.ifr_addr.sin6_family = AF_INET6;
> ifr.ifr_addr.sin6_addr = in6addr_any;
> error = (*ifp->if_ioctl)(ifp, SIOCADDMULTI, (caddr_t)&ifr);
> @@ -760,6 +762,7 @@ del_m6if(mifi_t *mifip)
> */
> ifp = mifp->m6_ifp;
>
> + memset(&ifr, 0, sizeof(ifr));
> ifr.ifr_addr.sin6_family = AF_INET6;
> ifr.ifr_addr.sin6_addr = in6addr_any;
> (*ifp->if_ioctl)(ifp, SIOCDELMULTI, (caddr_t)&ifr);
> Index: netinet6/nd6.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/nd6.c,v
> retrieving revision 1.145
> diff -u -p -r1.145 nd6.c
> --- netinet6/nd6.c 19 Aug 2015 13:27:38 -0000 1.145
> +++ netinet6/nd6.c 19 Aug 2015 19:02:39 -0000
> @@ -1834,9 +1834,7 @@ fill_drlist(void *oldp, size_t *oldlenp,
> bzero(d, sizeof(*d));
> d->rtaddr.sin6_family = AF_INET6;
> d->rtaddr.sin6_len = sizeof(struct sockaddr_in6);
> - d->rtaddr.sin6_addr = dr->rtaddr;
> - in6_recoverscope(&d->rtaddr, &d->rtaddr.sin6_addr,
> - dr->ifp);
> + in6_recoverscope(&d->rtaddr, &dr->rtaddr, dr->ifp);
> d->flags = dr->flags;
> d->rtlifetime = dr->rtlifetime;
> d->expire = dr->expire;
> @@ -1927,9 +1925,9 @@ fill_prlist(void *oldp, size_t *oldlenp,
> continue;
> }
> s6 = &sin6[advrtrs];
> + bzero(s6, sizeof(*s6));
> s6->sin6_family = AF_INET6;
> s6->sin6_len = sizeof(struct sockaddr_in6);
> - s6->sin6_addr = pfr->router->rtaddr;
> in6_recoverscope(s6, &pfr->router->rtaddr,
> pfr->router->ifp);
> advrtrs++;
> Index: nfs/krpc_subr.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/nfs/krpc_subr.c,v
> retrieving revision 1.28
> diff -u -p -r1.28 krpc_subr.c
> --- nfs/krpc_subr.c 15 Jul 2015 22:16:42 -0000 1.28
> +++ nfs/krpc_subr.c 19 Aug 2015 19:32:32 -0000
> @@ -270,7 +270,8 @@ krpc_call(struct sockaddr_in *sa, u_int
>
> MGET(m, M_WAIT, MT_SONAME);
> sin = mtod(m, struct sockaddr_in *);
> - sin->sin_len = m->m_len = sizeof (struct sockaddr_in);
> + memset(sin, 0, sizeof(*sin));
> + sin->sin_len = m->m_len = sizeof(struct sockaddr_in);
> sin->sin_family = AF_INET;
> sin->sin_addr.s_addr = INADDR_ANY;
> sin->sin_port = htons(0);
> Index: nfs/nfs_socket.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/nfs/nfs_socket.c,v
> retrieving revision 1.110
> diff -u -p -r1.110 nfs_socket.c
> --- nfs/nfs_socket.c 15 Jul 2015 22:16:42 -0000 1.110
> +++ nfs/nfs_socket.c 19 Aug 2015 19:34:28 -0000
> @@ -258,7 +258,8 @@ nfs_connect(struct nfsmount *nmp, struct
>
> MGET(m, M_WAIT, MT_SONAME);
> sin = mtod(m, struct sockaddr_in *);
> - sin->sin_len = m->m_len = sizeof (struct sockaddr_in);
> + memset(sin, 0, sizeof(*sin));
> + sin->sin_len = m->m_len = sizeof(struct sockaddr_in);
> sin->sin_family = AF_INET;
> sin->sin_addr.s_addr = INADDR_ANY;
> sin->sin_port = htons(0);
>
`
