Hi, Struct sockaddr_in and sockaddr_in6 should always be initialized to zero. Most of the kernel does this already, this diff fixes all other places there sin_family is assigned. Do not pass around pointers to uninitialized stack memory.
There are some global route variables, I think the padding fields are always zero and do not change. I did not touch them. While there, the call to in6_recoverscope() in fill_drlist() looked very broken. I prefered memset() over bzero(), but if a source file was only using the latter, I have chosen this. ok? bluhm Index: net/pipex.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/pipex.c,v retrieving revision 1.72 diff -u -p -r1.72 pipex.c --- net/pipex.c 16 Jul 2015 16:12:15 -0000 1.72 +++ net/pipex.c 19 Aug 2015 19:02:39 -0000 @@ -1736,12 +1736,14 @@ drop: struct pipex_session * pipex_pptp_userland_lookup_session_ipv4(struct mbuf *m0, struct in_addr dst) { - struct sockaddr_in sin4; + struct sockaddr_in sin; - sin4.sin_family = AF_INET; - sin4.sin_addr = dst; + memset(&sin, 0, sizeof(sin)); + sin.sin_len = sizeof(sin); + sin.sin_family = AF_INET; + sin.sin_addr = dst; - return pipex_pptp_userland_lookup_session(m0, (struct sockaddr *)&sin4); + return pipex_pptp_userland_lookup_session(m0, sintosa(&sin)); } #ifdef INET6 @@ -1750,10 +1752,12 @@ pipex_pptp_userland_lookup_session_ipv6( { struct sockaddr_in6 sin6; + memset(&sin6, 0, sizeof(sin6)); + sin6.sin6_len = sizeof(sin6); sin6.sin6_family = AF_INET6; in6_recoverscope(&sin6, &dst, NULL); - return pipex_pptp_userland_lookup_session(m0, (struct sockaddr *)&sin6); + return pipex_pptp_userland_lookup_session(m0, sin6tosa(&sin6)); } #endif @@ -2168,12 +2172,14 @@ drop: struct pipex_session * pipex_l2tp_userland_lookup_session_ipv4(struct mbuf *m0, struct in_addr dst) { - struct sockaddr_in sin4; + struct sockaddr_in sin; - sin4.sin_family = AF_INET; - sin4.sin_addr = dst; + memset(&sin, 0, sizeof(sin)); + sin.sin_len = sizeof(sin); + sin.sin_family = AF_INET; + sin.sin_addr = dst; - return pipex_l2tp_userland_lookup_session(m0, (struct sockaddr *)&sin4); + return pipex_l2tp_userland_lookup_session(m0, sintosa(&sin)); } #ifdef INET6 @@ -2182,10 +2188,12 @@ pipex_l2tp_userland_lookup_session_ipv6( { struct sockaddr_in6 sin6; + memset(&sin6, 0, sizeof(sin6)); + sin6.sin6_len = sizeof(sin6); sin6.sin6_family = AF_INET6; in6_recoverscope(&sin6, &dst, NULL); - return pipex_l2tp_userland_lookup_session(m0, (struct sockaddr *)&sin6); + return pipex_l2tp_userland_lookup_session(m0, sin6tosa(&sin6)); } #endif Index: netinet/in.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in.c,v retrieving revision 1.120 diff -u -p -r1.120 in.c --- netinet/in.c 8 Jul 2015 07:56:51 -0000 1.120 +++ netinet/in.c 19 Aug 2015 19:18:55 -0000 @@ -809,7 +809,7 @@ in_addmulti(struct in_addr *ap, struct i * New address; allocate a new multicast record * and link it into the interface's multicast list. */ - inm = malloc(sizeof(*inm), M_IPMADDR, M_NOWAIT); + inm = malloc(sizeof(*inm), M_IPMADDR, M_NOWAIT | M_ZERO); if (inm == NULL) return (NULL); @@ -824,6 +824,7 @@ in_addmulti(struct in_addr *ap, struct i * Ask the network driver to update its multicast reception * filter appropriately for the new address. */ + memset(&ifr, 0, sizeof(ifr)); memcpy(&ifr.ifr_addr, &inm->inm_sin, sizeof(inm->inm_sin)); if ((*ifp->if_ioctl)(ifp, SIOCADDMULTI,(caddr_t)&ifr) != 0) { free(inm, M_IPMADDR, sizeof(*inm)); @@ -867,6 +868,7 @@ in_delmulti(struct in_multi *inm) * reception filter. */ if (ifp != NULL) { + memset(&ifr, 0, sizeof(ifr)); satosin(&ifr.ifr_addr)->sin_len = sizeof(struct sockaddr_in); satosin(&ifr.ifr_addr)->sin_family = AF_INET; Index: netinet/ip_mroute.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_mroute.c,v retrieving revision 1.79 diff -u -p -r1.79 ip_mroute.c --- netinet/ip_mroute.c 15 Jul 2015 17:55:08 -0000 1.79 +++ netinet/ip_mroute.c 19 Aug 2015 19:25:51 -0000 @@ -889,6 +889,7 @@ add_vif(struct mbuf *m) return (EOPNOTSUPP); /* Enable promiscuous reception of all IP multicasts. */ + memset(&ifr, 0, sizeof(ifr)); satosin(&ifr.ifr_addr)->sin_len = sizeof(struct sockaddr_in); satosin(&ifr.ifr_addr)->sin_family = AF_INET; satosin(&ifr.ifr_addr)->sin_addr = zeroin_addr; @@ -943,6 +944,7 @@ reset_vif(struct vif *vifp) reg_vif_num = VIFI_INVALID; #endif } else { + memset(&ifr, 0, sizeof(ifr)); satosin(&ifr.ifr_addr)->sin_len = sizeof(struct sockaddr_in); satosin(&ifr.ifr_addr)->sin_family = AF_INET; satosin(&ifr.ifr_addr)->sin_addr = zeroin_addr; Index: netinet6/in6.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v retrieving revision 1.165 diff -u -p -r1.165 in6.c --- netinet6/in6.c 19 Aug 2015 13:27:38 -0000 1.165 +++ netinet6/in6.c 19 Aug 2015 19:02:39 -0000 @@ -868,7 +868,7 @@ in6_update_ifa(struct ifnet *ifp, struct * join interface-local all-nodes address. * (ff01::1%ifN, and ff01::%ifN/32) */ - bzero(&mltaddr.sin6_addr, sizeof(mltaddr.sin6_addr)); + bzero(&mltaddr, sizeof(mltaddr)); mltaddr.sin6_len = sizeof(struct sockaddr_in6); mltaddr.sin6_family = AF_INET6; mltaddr.sin6_addr = in6addr_intfacelocal_allnodes; @@ -1346,7 +1346,7 @@ in6_addmulti(struct in6_addr *maddr6, st * New address; allocate a new multicast record * and link it into the interface's multicast list. */ - in6m = malloc(sizeof(*in6m), M_IPMADDR, M_NOWAIT); + in6m = malloc(sizeof(*in6m), M_IPMADDR, M_NOWAIT | M_ZERO); if (in6m == NULL) { *errorp = ENOBUFS; return (NULL); Index: netinet6/ip6_mroute.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_mroute.c,v retrieving revision 1.86 diff -u -p -r1.86 ip6_mroute.c --- netinet6/ip6_mroute.c 15 Jul 2015 17:56:05 -0000 1.86 +++ netinet6/ip6_mroute.c 19 Aug 2015 19:02:39 -0000 @@ -557,6 +557,7 @@ ip6_mrouter_done(void) for (mifi = 0; mifi < nummifs; mifi++) { if (mif6table[mifi].m6_ifp && !(mif6table[mifi].m6_flags & MIFF_REGISTER)) { + memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sin6_family = AF_INET6; ifr.ifr_addr.sin6_addr= in6addr_any; ifp = mif6table[mifi].m6_ifp; @@ -695,6 +696,7 @@ add_m6if(struct mif6ctl *mifcp) * Enable promiscuous reception of all IPv6 multicasts * from the interface. */ + memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sin6_family = AF_INET6; ifr.ifr_addr.sin6_addr = in6addr_any; error = (*ifp->if_ioctl)(ifp, SIOCADDMULTI, (caddr_t)&ifr); @@ -760,6 +762,7 @@ del_m6if(mifi_t *mifip) */ ifp = mifp->m6_ifp; + memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sin6_family = AF_INET6; ifr.ifr_addr.sin6_addr = in6addr_any; (*ifp->if_ioctl)(ifp, SIOCDELMULTI, (caddr_t)&ifr); Index: netinet6/nd6.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/nd6.c,v retrieving revision 1.145 diff -u -p -r1.145 nd6.c --- netinet6/nd6.c 19 Aug 2015 13:27:38 -0000 1.145 +++ netinet6/nd6.c 19 Aug 2015 19:02:39 -0000 @@ -1834,9 +1834,7 @@ fill_drlist(void *oldp, size_t *oldlenp, bzero(d, sizeof(*d)); d->rtaddr.sin6_family = AF_INET6; d->rtaddr.sin6_len = sizeof(struct sockaddr_in6); - d->rtaddr.sin6_addr = dr->rtaddr; - in6_recoverscope(&d->rtaddr, &d->rtaddr.sin6_addr, - dr->ifp); + in6_recoverscope(&d->rtaddr, &dr->rtaddr, dr->ifp); d->flags = dr->flags; d->rtlifetime = dr->rtlifetime; d->expire = dr->expire; @@ -1927,9 +1925,9 @@ fill_prlist(void *oldp, size_t *oldlenp, continue; } s6 = &sin6[advrtrs]; + bzero(s6, sizeof(*s6)); s6->sin6_family = AF_INET6; s6->sin6_len = sizeof(struct sockaddr_in6); - s6->sin6_addr = pfr->router->rtaddr; in6_recoverscope(s6, &pfr->router->rtaddr, pfr->router->ifp); advrtrs++; Index: nfs/krpc_subr.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/nfs/krpc_subr.c,v retrieving revision 1.28 diff -u -p -r1.28 krpc_subr.c --- nfs/krpc_subr.c 15 Jul 2015 22:16:42 -0000 1.28 +++ nfs/krpc_subr.c 19 Aug 2015 19:32:32 -0000 @@ -270,7 +270,8 @@ krpc_call(struct sockaddr_in *sa, u_int MGET(m, M_WAIT, MT_SONAME); sin = mtod(m, struct sockaddr_in *); - sin->sin_len = m->m_len = sizeof (struct sockaddr_in); + memset(sin, 0, sizeof(*sin)); + sin->sin_len = m->m_len = sizeof(struct sockaddr_in); sin->sin_family = AF_INET; sin->sin_addr.s_addr = INADDR_ANY; sin->sin_port = htons(0); Index: nfs/nfs_socket.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/nfs/nfs_socket.c,v retrieving revision 1.110 diff -u -p -r1.110 nfs_socket.c --- nfs/nfs_socket.c 15 Jul 2015 22:16:42 -0000 1.110 +++ nfs/nfs_socket.c 19 Aug 2015 19:34:28 -0000 @@ -258,7 +258,8 @@ nfs_connect(struct nfsmount *nmp, struct MGET(m, M_WAIT, MT_SONAME); sin = mtod(m, struct sockaddr_in *); - sin->sin_len = m->m_len = sizeof (struct sockaddr_in); + memset(sin, 0, sizeof(*sin)); + sin->sin_len = m->m_len = sizeof(struct sockaddr_in); sin->sin_family = AF_INET; sin->sin_addr.s_addr = INADDR_ANY; sin->sin_port = htons(0);