[src/trunk]: src/sys/netinet6 Fix info leak. We are allocating a slot of size:

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9ffcc3bd7d00
branches:  trunk
changeset: 829240:9ffcc3bd7d00
user:      maxv <maxv%NetBSD.org@localhost>
date:      Tue Jan 23 10:32:50 2018 +0000

description:
Fix info leak. We are allocating a slot of size:

        roundup(sizeof(*nd_opt) + ifp->if_addrlen, 8)

But we are not filling in the padding caused by the roundup, and therefore
several bytes are leaked, in the mbuf we're about to send to the network.

diffstat:

 sys/netinet6/icmp6.c |  10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diffs (49 lines):

diff -r bac851b16816 -r 9ffcc3bd7d00 sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c      Tue Jan 23 09:21:59 2018 +0000
+++ b/sys/netinet6/icmp6.c      Tue Jan 23 10:32:50 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: icmp6.c,v 1.216 2018/01/23 09:21:59 maxv Exp $ */
+/*     $NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $ */
 /*     $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.216 2018/01/23 09:21:59 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2616,7 +2616,7 @@
        {
                /* target lladdr option */
                struct llentry *ln = NULL;
-               int len;
+               int len, pad;
                struct nd_opt_hdr *nd_opt;
                char *lladdr;
 
@@ -2625,17 +2625,21 @@
                        goto nolladdropt;
                len = sizeof(*nd_opt) + ifp->if_addrlen;
                len = (len + 7) & ~7;   /* round by 8 */
+               pad = len - (sizeof(*nd_opt) + ifp->if_addrlen);
+
                /* safety check */
                if (len + (p - (u_char *)ip6) > maxlen) {
                        LLE_RUNLOCK(ln);
                        goto nolladdropt;
                }
+
                if (ln->la_flags & LLE_VALID) {
                        nd_opt = (struct nd_opt_hdr *)p;
                        nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
                        nd_opt->nd_opt_len = len >> 3;
                        lladdr = (char *)(nd_opt + 1);
                        memcpy(lladdr, &ln->ll_addr, ifp->if_addrlen);
+                       memset(lladdr + ifp->if_addrlen, 0, pad);
                        p += len;
                }
                LLE_RUNLOCK(ln);