ktls: Zero out TLS_GET_RECORD control messages

Otherwise we end up copying one uninitialized byte into the socket buffer. Reported by: KMSAN Reviewed by: jhb MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33953
2022-01-20 15:42:46 -05:00 · 2022-01-20 15:42:46 -05:00 · 6be8944d96
commit 6be8944d96
parent d91d2b513e
2 changed files with 2 additions and 0 deletions
--- a/sys/dev/cxgbe/tom/t4_tls.c
+++ b/sys/dev/cxgbe/tom/t4_tls.c
@ -1052,6 +1052,7 @@ do_rx_tls_cmp(struct sge_iq *iq, const struct rss_header *rss, struct mbuf *m)

 	tgr = (struct tls_get_record *)
 	    CMSG_DATA(mtod(control, struct cmsghdr *));
+	memset(tgr, 0, sizeof(*tgr));
 	tgr->tls_type = tls_hdr_pkt->type;
 	tgr->tls_vmajor = be16toh(tls_hdr_pkt->version) >> 8;
 	tgr->tls_vminor = be16toh(tls_hdr_pkt->version) & 0xff;
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@ -2066,6 +2066,7 @@ ktls_decrypt(struct socket *so)
 		}

 		/* Allocate the control mbuf. */
+		memset(&tgr, 0, sizeof(tgr));
 		tgr.tls_type = record_type;
 		tgr.tls_vmajor = hdr->tls_vmajor;
 		tgr.tls_vminor = hdr->tls_vminor;