From 6be8944d96d2cb5938b69c63b483efa616eafb56 Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Thu, 20 Jan 2022 15:42:46 -0500
Subject: [PATCH] ktls: Zero out TLS_GET_RECORD control messages

Otherwise we end up copying one uninitialized byte into the socket
buffer.

Reported by:	KMSAN
Reviewed by:	jhb
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33953
---
 sys/dev/cxgbe/tom/t4_tls.c | 1 +
 sys/kern/uipc_ktls.c       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/sys/dev/cxgbe/tom/t4_tls.c b/sys/dev/cxgbe/tom/t4_tls.c
index cd2a505e8346..06a21ade04c1 100644
--- a/sys/dev/cxgbe/tom/t4_tls.c
+++ b/sys/dev/cxgbe/tom/t4_tls.c
@@ -1052,6 +1052,7 @@ do_rx_tls_cmp(struct sge_iq *iq, const struct rss_header *rss, struct mbuf *m)
 
 	tgr = (struct tls_get_record *)
 	    CMSG_DATA(mtod(control, struct cmsghdr *));
+	memset(tgr, 0, sizeof(*tgr));
 	tgr->tls_type = tls_hdr_pkt->type;
 	tgr->tls_vmajor = be16toh(tls_hdr_pkt->version) >> 8;
 	tgr->tls_vminor = be16toh(tls_hdr_pkt->version) & 0xff;
diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index 5b37daf7d73b..5912db865ef6 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -2066,6 +2066,7 @@ ktls_decrypt(struct socket *so)
 		}
 
 		/* Allocate the control mbuf. */
+		memset(&tgr, 0, sizeof(tgr));
 		tgr.tls_type = record_type;
 		tgr.tls_vmajor = hdr->tls_vmajor;
 		tgr.tls_vminor = hdr->tls_vminor;