In kernel initialize struct sockaddr_in and sockaddr_in6 to zero

everywhere to avoid passing around pointers to uninitialized stack
memory.  While there, fix the call to in6_recoverscope() in
fill_drlist().
OK deraadt@ mpi@

3 files changed, 9 insertions, 8 deletions

diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c
index 866a8a74e91..6773b0d998b 100644
--- a/sys/netinet6/in6.c
+++ b/sys/netinet6/in6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in6.c,v 1.165 2015/08/19 13:27:38 bluhm Exp $	*/
+/*	$OpenBSD: in6.c,v 1.166 2015/08/24 14:00:29 bluhm Exp $	*/
 /*	$KAME: in6.c,v 1.372 2004/06/14 08:14:21 itojun Exp $	*/
 
 /*
@@ -868,7 +868,7 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra,
 		 * join interface-local all-nodes address.
 		 * (ff01::1%ifN, and ff01::%ifN/32)
 		 */
-		bzero(&mltaddr.sin6_addr, sizeof(mltaddr.sin6_addr));
+		bzero(&mltaddr, sizeof(mltaddr));
 		mltaddr.sin6_len = sizeof(struct sockaddr_in6);
 		mltaddr.sin6_family = AF_INET6;
 		mltaddr.sin6_addr = in6addr_intfacelocal_allnodes;
@@ -1346,7 +1346,7 @@ in6_addmulti(struct in6_addr *maddr6, struct ifnet *ifp, int *errorp)
 		 * New address; allocate a new multicast record
 		 * and link it into the interface's multicast list.
 		 */
-		in6m = malloc(sizeof(*in6m), M_IPMADDR, M_NOWAIT);
+		in6m = malloc(sizeof(*in6m), M_IPMADDR, M_NOWAIT | M_ZERO);
 		if (in6m == NULL) {
 			*errorp = ENOBUFS;
 			return (NULL);
diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c
index e6cb30a07cc..ed028a80c63 100644
--- a/sys/netinet6/ip6_mroute.c
+++ b/sys/netinet6/ip6_mroute.c
@@ -557,6 +557,7 @@ ip6_mrouter_done(void)
 		for (mifi = 0; mifi < nummifs; mifi++) {
 			if (mif6table[mifi].m6_ifp &&
 			    !(mif6table[mifi].m6_flags & MIFF_REGISTER)) {
+				memset(&ifr, 0, sizeof(ifr));
 				ifr.ifr_addr.sin6_family = AF_INET6;
 				ifr.ifr_addr.sin6_addr= in6addr_any;
 				ifp = mif6table[mifi].m6_ifp;
@@ -695,6 +696,7 @@ add_m6if(struct mif6ctl *mifcp)
 		 * Enable promiscuous reception of all IPv6 multicasts
 		 * from the interface.
 		 */
+		memset(&ifr, 0, sizeof(ifr));
 		ifr.ifr_addr.sin6_family = AF_INET6;
 		ifr.ifr_addr.sin6_addr = in6addr_any;
 		error = (*ifp->if_ioctl)(ifp, SIOCADDMULTI, (caddr_t)&ifr);
@@ -760,6 +762,7 @@ del_m6if(mifi_t *mifip)
 		 */
 		ifp = mifp->m6_ifp;
 
+		memset(&ifr, 0, sizeof(ifr));
 		ifr.ifr_addr.sin6_family = AF_INET6;
 		ifr.ifr_addr.sin6_addr = in6addr_any;
 		(*ifp->if_ioctl)(ifp, SIOCDELMULTI, (caddr_t)&ifr);
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index 1f6dca27246..b10dfb51563 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: nd6.c,v 1.146 2015/08/23 14:12:05 naddy Exp $	*/
+/*	$OpenBSD: nd6.c,v 1.147 2015/08/24 14:00:29 bluhm Exp $	*/
 /*	$KAME: nd6.c,v 1.280 2002/06/08 19:52:07 itojun Exp $	*/
 
 /*
@@ -1834,9 +1834,7 @@ fill_drlist(void *oldp, size_t *oldlenp, size_t ol)
 			bzero(d, sizeof(*d));
 			d->rtaddr.sin6_family = AF_INET6;
 			d->rtaddr.sin6_len = sizeof(struct sockaddr_in6);
-			d->rtaddr.sin6_addr = dr->rtaddr;
-			in6_recoverscope(&d->rtaddr, &d->rtaddr.sin6_addr,
-			    dr->ifp);
+			in6_recoverscope(&d->rtaddr, &dr->rtaddr, dr->ifp);
 			d->flags = dr->flags;
 			d->rtlifetime = dr->rtlifetime;
 			d->expire = dr->expire;
@@ -1927,9 +1925,9 @@ fill_prlist(void *oldp, size_t *oldlenp, size_t ol)
 					advrtrs++;
 					continue;
 				}
+				bzero(&sin6, sizeof(sin6));
 				sin6.sin6_family = AF_INET6;
 				sin6.sin6_len = sizeof(struct sockaddr_in6);
-				sin6.sin6_addr = pfr->router->rtaddr;
 				in6_recoverscope(&sin6, &pfr->router->rtaddr,
 				    pfr->router->ifp);
 				advrtrs++;