--- sys/compat/linux/linux_ioctl.c.orig +++ sys/compat/linux/linux_ioctl.c @@ -253,6 +253,7 @@ } else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) { struct linux_hd_big_geometry hdbg; + memset(&hdbg, 0, sizeof(hdbg)); hdbg.cylinders = fwcylinders; hdbg.heads = fwheads; hdbg.sectors = fwsectors; @@ -2477,6 +2478,7 @@ printf("%s(): ioctl %d on %.*s\n", __func__, args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname); #endif + memset(ifname, 0, sizeof(ifname)); ifp = ifname_linux_to_bsd(td, lifname, ifname); if (ifp == NULL) return (EINVAL); --- sys/compat/linux/linux_ipc.c.orig +++ sys/compat/linux/linux_ipc.c @@ -548,6 +548,9 @@ register_t rval; int cmd, error; + memset(&linux_seminfo, 0, sizeof(linux_seminfo)); + memset(&linux_semid64, 0, sizeof(linux_semid64)); + switch (args->cmd & ~LINUX_IPC_64) { case LINUX_IPC_RMID: cmd = IPC_RMID; @@ -702,6 +705,8 @@ struct l_msqid64_ds linux_msqid64; struct msqid_ds bsd_msqid; + memset(&linux_msqid64, 0, sizeof(linux_msqid64)); + bsd_cmd = args->cmd & ~LINUX_IPC_64; switch (bsd_cmd) { case LINUX_IPC_INFO: @@ -708,6 +713,7 @@ case LINUX_MSG_INFO: { struct l_msginfo linux_msginfo; + memset(&linux_msginfo, 0, sizeof(linux_msginfo)); /* * XXX MSG_INFO uses the same data structure but returns different * dynamic counters in msgpool, msgmap, and msgtql fields. @@ -833,6 +839,10 @@ struct shmid_ds bsd_shmid; int error; + memset(&linux_shm_info, 0, sizeof(linux_shm_info)); + memset(&linux_shmid64, 0, sizeof(linux_shmid64)); + memset(&linux_shminfo64, 0, sizeof(linux_shminfo64)); + switch (args->cmd & ~LINUX_IPC_64) { case LINUX_IPC_INFO: { --- sys/dev/ath/if_ath_btcoex.c.orig +++ sys/dev/ath/if_ath_btcoex.c @@ -457,7 +457,7 @@ * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -466,6 +466,7 @@ switch (id) { default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize; --- sys/dev/ath/if_ath_ioctl.c.orig +++ sys/dev/ath/if_ath_ioctl.c @@ -197,7 +197,7 @@ * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; --- sys/dev/ath/if_ath_lna_div.c.orig +++ sys/dev/ath/if_ath_lna_div.c @@ -187,7 +187,7 @@ * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -196,6 +196,7 @@ switch (id) { default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize; --- sys/dev/ath/if_ath_spectral.c.orig +++ sys/dev/ath/if_ath_spectral.c @@ -212,7 +212,7 @@ * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -275,6 +275,7 @@ break; default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize; --- sys/netinet/tcp_usrreq.c.orig +++ sys/netinet/tcp_usrreq.c @@ -1495,7 +1495,9 @@ return (error); } else if ((sopt->sopt_dir == SOPT_GET) && (sopt->sopt_name == TCP_FUNCTION_BLK)) { - strcpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name); + strncpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name, + TCP_FUNCTION_NAME_LEN_MAX); + fsn.function_set_name[TCP_FUNCTION_NAME_LEN_MAX - 1] = '\0'; fsn.pcbcnt = tp->t_fb->tfb_refcnt; INP_WUNLOCK(inp); error = sooptcopyout(sopt, &fsn, sizeof fsn);