From owner-svn-src-user@FreeBSD.ORG Tue Sep 2 14:08:28 2014 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 68CA5A32; Tue, 2 Sep 2014 14:08:28 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 524FC1BBE; Tue, 2 Sep 2014 14:08:28 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s82E8Spw053013; Tue, 2 Sep 2014 14:08:28 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s82E8RpP053008; Tue, 2 Sep 2014 14:08:27 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201409021408.s82E8RpP053008@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 2 Sep 2014 14:08:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r270965 - in user/cperciva/freebsd-update-build/patches: 10.0-RELEASE 8.4-RELEASE 9.1-RELEASE 9.2-RELEASE X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2014 14:08:28 -0000 Author: delphij Date: Tue Sep 2 14:08:27 2014 New Revision: 270965 URL: http://svnweb.freebsd.org/changeset/base/270965 Log: Add patches for 2014-07-08 batch. Added: user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:17.kmem user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem Added: user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = 0; + if (sp->some_taken) { +@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_NOWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_stream_change_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + stradd = mtod(m_notify, struct sctp_stream_change_event *); ++ memset(stradd, 0, sizeof(struct sctp_stream_change_event)); + stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT; + stradd->strchange_flags = flag; +- stradd->strchange_length = len; ++ stradd->strchange_length = sizeof(struct sctp_stream_change_event); + stradd->strchange_assoc_id = sctp_get_associd(stcb); + stradd->strchange_instrms = numberin; + stradd->strchange_outstrms = numberout; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_assoc_reset_event *strasoc; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { +@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + /* event not enabled */ + return; + } +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_assoc_reset_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + strasoc = mtod(m_notify, struct sctp_assoc_reset_event *); ++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event)); + strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT; + strasoc->assocreset_flags = flag; +- strasoc->assocreset_length = len; ++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event); + strasoc->assocreset_assoc_id = sctp_get_associd(stcb); + strasoc->assocreset_local_tsn = sending_tsn; + strasoc->assocreset_remote_tsn = recv_tsn; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb, + return; + } + strreset = mtod(m_notify, struct sctp_stream_reset_event *); ++ memset(strreset, 0, len); + strreset->strreset_type = SCTP_STREAM_RESET_EVENT; + strreset->strreset_flags = flag; + strreset->strreset_length = len; +@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so, + fromlen = 0; + } + ++ if (filling_sinfo) { ++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo)); ++ } + error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp, + (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo); +- if ((controlp) && (filling_sinfo)) { ++ if (controlp != NULL) { + /* copy back the sinfo in a CMSG format */ + if (filling_sinfo) + *controlp = sctp_build_ctl_nchunk(inp, Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail Tue Sep 2 14:08:27 2014 (r270965) @@ -0,0 +1,15 @@ +Index: etc/rc.d/jail +=================================================================== +--- etc/rc.d/jail (revision 268273) ++++ etc/rc.d/jail (working copy) +@@ -647,7 +647,9 @@ jail_start() + done + + eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \ +- ip4.addr=\"${_addrl}\" ip6.addr=\"${_addr6l}\" ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 ++ ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \ ++ ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \ ++ m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = 0; + if (sp->some_taken) { +@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_stream_change_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + stradd = mtod(m_notify, struct sctp_stream_change_event *); ++ memset(stradd, 0, sizeof(struct sctp_stream_change_event)); + stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT; + stradd->strchange_flags = flag; +- stradd->strchange_length = len; ++ stradd->strchange_length = sizeof(struct sctp_stream_change_event); + stradd->strchange_assoc_id = sctp_get_associd(stcb); + stradd->strchange_instrms = numberin; + stradd->strchange_outstrms = numberout; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_assoc_reset_event *strasoc; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { +@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + /* event not enabled */ + return; + } +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_assoc_reset_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + strasoc = mtod(m_notify, struct sctp_assoc_reset_event *); ++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event)); + strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT; + strasoc->assocreset_flags = flag; +- strasoc->assocreset_length = len; ++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event); + strasoc->assocreset_assoc_id = sctp_get_associd(stcb); + strasoc->assocreset_local_tsn = sending_tsn; + strasoc->assocreset_remote_tsn = recv_tsn; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb, + return; + } + strreset = mtod(m_notify, struct sctp_stream_reset_event *); ++ memset(strreset, 0, len); + strreset->strreset_type = SCTP_STREAM_RESET_EVENT; + strreset->strreset_flags = flag; + strreset->strreset_length = len; +@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so, + fromlen = 0; + } + ++ if (filling_sinfo) { ++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo)); ++ } + error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp, + (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo); +- if ((controlp) && (filling_sinfo)) { ++ if (controlp != NULL) { + /* copy back the sinfo in a CMSG format */ + if (filling_sinfo) + *controlp = sctp_build_ctl_nchunk(inp, Added: user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1011,6 +1011,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1876,6 +1876,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2628,6 +2628,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2834,11 +2835,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2845,10 +2845,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2858,6 +2859,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2864,6 +2866,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2947,16 +2951,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2970,12 +2974,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = sp->strseq; + if (sp->some_taken) { +@@ -3037,6 +3042,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3092,6 +3098,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3201,6 +3208,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3251,6 +3259,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3283,7 +3292,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3296,25 +3304,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_stream_change_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + stradd = mtod(m_notify, struct sctp_stream_change_event *); ++ memset(stradd, 0, sizeof(struct sctp_stream_change_event)); + stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT; + stradd->strchange_flags = flag; +- stradd->strchange_length = len; ++ stradd->strchange_length = sizeof(struct sctp_stream_change_event); + stradd->strchange_assoc_id = sctp_get_associd(stcb); + stradd->strchange_instrms = numberin; + stradd->strchange_outstrms = numberout; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3345,7 +3348,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_assoc_reset_event *strasoc; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { +@@ -3352,25 +3354,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + /* event not enabled */ + return; + } +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_assoc_reset_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + strasoc = mtod(m_notify, struct sctp_assoc_reset_event *); ++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event)); + strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT; + strasoc->assocreset_flags = flag; +- strasoc->assocreset_length = len; ++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event); + strasoc->assocreset_assoc_id = sctp_get_associd(stcb); + strasoc->assocreset_local_tsn = sending_tsn; + strasoc->assocreset_remote_tsn = recv_tsn; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3423,6 +3420,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb, + return; + } + strreset = mtod(m_notify, struct sctp_stream_reset_event *); ++ memset(strreset, 0, len); + strreset->strreset_type = SCTP_STREAM_RESET_EVENT; + strreset->strreset_flags = flag; + strreset->strreset_length = len; +@@ -6261,9 +6259,12 @@ sctp_soreceive(struct socket *so, + fromlen = 0; + } + ++ if (filling_sinfo) { ++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo)); ++ } + error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp, + (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo); +- if ((controlp) && (filling_sinfo)) { ++ if (controlp != NULL) { + /* copy back the sinfo in a CMSG format */ + if (filling_sinfo) + *controlp = sctp_build_ctl_nchunk(inp, Added: user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1045,6 +1045,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = 0; + if (sp->some_taken) { +@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***