freebsd-sources-10.0.0.9999-r4: security fix FreeBSD-SA-14:17.kmem

3 files changed, 267 insertions, 2 deletions

diff --git a/sys-freebsd/freebsd-sources/Manifest b/sys-freebsd/freebsd-sources/Manifest
index 8c4ea32..2a4199c 100644
--- a/sys-freebsd/freebsd-sources/Manifest
+++ b/sys-freebsd/freebsd-sources/Manifest
@@ -1,5 +1,6 @@
 AUX config-GENTOO 73 SHA256 04a7695383baa247120cfd39f399b62c9d9b66682b79bc9bc1117f0aeb95b858 SHA512 436e1e1cb4077488cd1e054a96598c1c6dc2fda5c060d2d6c1bf2986b534016c86ea2afee0dcf883b4bde6946625596ea474a273013b18fdfa5538ebcfe6ea54 WHIRLPOOL 467ed565c0c6b508185f3c7d9a2031ce1861573614ba6fd5db7d6825fdaaabf23b9be1daef035d7fea9fa66f9d92ba17267085e894db66d8c9f49ed4ca9f16b9
 AUX freebsd-sources-10.0-EN-1407-pmap.patch 520 SHA256 64f3fc5765449538fecd6a911cf8fe4a03f8123a0169549ab2fa5363acbd4480 SHA512 eba94035c01d4e9819a89973a0e9baa2b573dfb20c9ee22cfbe786e29bb323beec54f6d6de2d14705c9a558ea6429e7a9edc81c34cd38ddcef4d9ed32b704108 WHIRLPOOL 4adb95ca70f781e5e812936a5fcf86149050bf10c12dccc9c1502ac6df79ae9f80e945b3872a55c187741d795f84e40ec83be015ecf9d7a729fcb13610429738
+AUX freebsd-sources-10.0-SA-1417-kmem.patch 10626 SHA256 217fed19e36d6febc973f2eff141e9d10ff5700122126b9097c36f9642b168e7 SHA512 0706bef96076723a92664316573c2a877e090213ea50fdde2418d8ea7d98acc76fd45832bb9b66a5af45b6fc97e9d6ab11e7aa561514a4c59ed3afce516d3581 WHIRLPOOL f06b189d12ee4dd7ccec1d84b68297d2b3e33c832440f01c94c07cf5e051e9fa8ef782c28d01f976a017941f832da0be88700575f1092498aaffb7eb931821ac
 AUX freebsd-sources-10.0-clang34.patch 838 SHA256 2f1b02ff11ac48958857fa07168ea27f4974884cdf850f54f3c61541bf9617d2 SHA512 63403f328a2c394aefc66a6230e5c7699ca59d809780686055152f53ce5f7b86b7f2b083951e5e51d0a34ed20561f2473a22c3af8919f0336bf6f10a9db03113 WHIRLPOOL 5d0779ea5f5609f629d9751e365997ac39c2eaab3c0b8f2153b0ed17bf08896b581f3c109a51634be820f0e40b3cc18c6072b1540a1a270099263c63adfb3d67
 AUX freebsd-sources-10.0-gentoo.patch 713 SHA256 13588f0572ba95c86beb755ce3d681c963e220694e3c0b3aae29faf05f8479da SHA512 98b8d1bf033b9bd7147f10e5bb4a39ac4883ec02ef0cc3825541ff11cb9bfe5e7722e7b8dcefe4c356f9fb0f86ec5cad6fbf9b80dbfd04149142fea5f8712d4d WHIRLPOOL 6372ec9abb566d06db174dd20785ab1768487ac2d57799fabad2d45cb77418f0e39aa0bad745c873e1c50de86a70fa80890f7f2f377f6a53f4fd5b7a6fa49edf
 AUX freebsd-sources-6.0-flex-2.5.31.patch 826 SHA256 8aaf240a344106fc5434fd098eb6555a554d16513b71c95f93a93388021c3d99 SHA512 7183b1923019df12849e7d3984c4227d65275077cf95c3b0719b99dc852234eb3813db0e69e9c34bdfca45a59f7340209211d0b7a2a5074c2d1ad8ea0a3a3f64 WHIRLPOOL 620ae55a54333c55e44247aad76be467bdfa491dac646f65dc0e0b6b1a95fe8edf5087e9ed68abeac1ef6db1a91c0e673342bf44f8753b6b8a5dce889137cdcc
@@ -21,6 +22,6 @@ AUX freebsd-sources-9.2-gentoo-gcc.patch 506 SHA256 7457421478066b686dabc9a072ea
 AUX freebsd-sources-9.2-gentoo.patch 716 SHA256 9a196adef145f57bf960b936f69065f6793df55420ef010c04f76578eb5d1e23 SHA512 3f6d9c4e2e3ee34058bc44ffae87c1de82e70f03d31635f27e477437f3ad4e003d2f3d6c4ab393d18dfc8eeab4cbc0af4a25227ca5d48bcd579dc07bbe3bd7f1 WHIRLPOOL 4b0207d4ffffda9daa88663b638b542acb2f567284ef4456cd18fe74770793666bb5e9de34f02b1dbf29fa79d8bae9305ad84d5cf378510004b926beacb7250d
 AUX freebsd-sources-cve-2012-0217.patch 856 SHA256 9b752e65a29b2b9a4a1412765d69d00310c05508af1cfa6d8d3c16d545bb3ffe SHA512 b1ac18cae23b81fd5ab2fcb44bb9f9808d6eb80f52b8572b81296fdd0b18edee62460520bc753848283d67e13367bf99775a2a5c6cf0272def9cdff6ec6fa4d9 WHIRLPOOL 27e4d0647c5275b77123bef6b866ac841af4b1b547fc663f776da82a7889995eba21b930adeabf2a71b3fbe053d2af5583cbdb6e8fd16a0379d10214d24b9121
 AUX freebsd-sources-cve-2012-4576.patch 561 SHA256 c3ad42e10164eaa3d928fd11a68b5ab490981b5d4684315e7e78c582e680d6c2 SHA512 451fb9be983672fa8d85d34bf13b67e70ac4bbda44da0c16ee484349bcf4e9ad795f66c36b5216bbcf022f709727dc19760e9f23b001a5768d9fa15dbad8122a WHIRLPOOL 2f261add2b2d9014782198b564a807f1a61917e0fbe91354ce5b1a685b27e312e699b7dc799f1653c952864633be84dda110e37f74378a3c5f1c5aacacb6811d
-EBUILD freebsd-sources-10.0.0.9999-r3.ebuild 3722 SHA256 1787305dedb5935117f1c1d85a3997d981956af474d2d73f53a361816802c11e SHA512 15d00df0aab8898c2e2a6c2ca429d36ab7483e154350cf8e4a507287d4ba4efca0ec5d9d8c832bcf4e0181fda541978db0a981c5a545822861a28ee85b27955a WHIRLPOOL a9e5fb6d58962ed67b742c110871d4c4e311a34a81548b79ea63cdc7ac1747f55d66a7ef3e866b920ff3d6c91e92e42c4ceefde4096721c340040fe455b6a8c5
+EBUILD freebsd-sources-10.0.0.9999-r4.ebuild 3767 SHA256 157f4aca34c64778cb10fa0682ef2bcb71234a75d764617a2b565335a5fe0e06 SHA512 4404b0ca857ef88bad1f36238f79ee82a4806fee0207dfaa64c0e152d59f0a86450666d7fe0bff6134fdf8bffda0181f8169d68ae379d5016e49f1f4584f1fc6 WHIRLPOOL b7b8c3cf385134d59d76aa791cec0a290fd0c7c93c2d464084bdff8c4f6f074bff39a1d16ee7008d1b5024c9e75f1b78f07f33ac101a8426875e0e2a72abb0d5
 EBUILD freebsd-sources-9.9999_p266864.ebuild 3480 SHA256 53444c2041f38e45f405f11f3ca98f833ddaec78d0ec9fd2c4d11d2826455404 SHA512 0d77fbb0c7a02d04f728f728ae89b1839fa042aa29d28189bbf82f378dd909d711f04cad5e9aab2b7ba2796dd50526475f7842664d63d09452a6359b995ef795 WHIRLPOOL 032aa9f584e58d1431d542968b927b670b40668e6350e1c3b05e38357d4da0a922ee5bdade75c1d5ca51727b3930cbe1803dec36cabcf91057e4406db2bca9a8
 MISC metadata.xml 410 SHA256 f29a086ab076d7e7924571990c4cab73cce2aec303e10cf3be057dfa0c8b27fd SHA512 d949aac7499d418fce878c099d47713112e1856346dbf7478e95c14f37a5f2c2fbd580a21b2330712e439d5be235bc2de69ac182bd46c1727e95fbb3b081dd0f WHIRLPOOL ffc6ba7653dfa4be5d63231043a64c85a3ad2409f98b8e1f9cf03dd51edb84b1ed0add5a613e591e9f2409c92e3be08e8b3f7f2073fa45f362c19ef72ec7f63d
diff --git a/sys-freebsd/freebsd-sources/files/freebsd-sources-10.0-SA-1417-kmem.patch b/sys-freebsd/freebsd-sources/files/freebsd-sources-10.0-SA-1417-kmem.patch
new file mode 100644
index 0000000..433da94
--- /dev/null
+++ b/sys-freebsd/freebsd-sources/files/freebsd-sources-10.0-SA-1417-kmem.patch
@@ -0,0 +1,263 @@
+Index: sys/kern/uipc_sockbuf.c
+===================================================================
+--- sys/kern/uipc_sockbuf.c	(revision 268273)
++++ sys/kern/uipc_sockbuf.c	(working copy)
+@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int
+ 	m->m_len = 0;
+ 	KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ 	    ("sbcreatecontrol: short mbuf"));
++	/*
++	 * Don't leave the padding between the msg header and the
++	 * cmsg data and the padding after the cmsg data un-initialized.
++	 */
++	bzero(cp, CMSG_SPACE((u_int)size));
+ 	if (p != NULL)
+ 		(void)memcpy(CMSG_DATA(cp), p, size);
+ 	m->m_len = CMSG_SPACE(size);
+Index: sys/netinet/sctp_auth.c
+===================================================================
+--- sys/netinet/sctp_auth.c	(revision 268273)
++++ sys/netinet/sctp_auth.c	(working copy)
+@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb,
+ 
+ 	SCTP_BUF_LEN(m_notify) = 0;
+ 	auth = mtod(m_notify, struct sctp_authkey_event *);
++	memset(auth, 0, sizeof(struct sctp_authkey_event));
+ 	auth->auth_type = SCTP_AUTHENTICATION_EVENT;
+ 	auth->auth_flags = 0;
+ 	auth->auth_length = sizeof(*auth);
+Index: sys/netinet/sctp_indata.c
+===================================================================
+--- sys/netinet/sctp_indata.c	(revision 268273)
++++ sys/netinet/sctp_indata.c	(working copy)
+@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru
+ 
+ 	/* We need a CMSG header followed by the struct */
+ 	cmh = mtod(ret, struct cmsghdr *);
++	/*
++	 * Make sure that there is no un-initialized padding between the
++	 * cmsg header and cmsg data and after the cmsg data.
++	 */
++	memset(cmh, 0, len);
+ 	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
+ 		cmh->cmsg_level = IPPROTO_SCTP;
+ 		cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
+Index: sys/netinet/sctputil.c
+===================================================================
+--- sys/netinet/sctputil.c	(revision 268273)
++++ sys/netinet/sctputil.c	(working copy)
+@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc
+ 		}
+ 		SCTP_BUF_NEXT(m_notify) = NULL;
+ 		sac = mtod(m_notify, struct sctp_assoc_change *);
++		memset(sac, 0, notif_len);
+ 		sac->sac_type = SCTP_ASSOC_CHANGE;
+ 		sac->sac_flags = 0;
+ 		sac->sac_length = sizeof(struct sctp_assoc_change);
+@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ 	if (m_notify == NULL)
+ 		/* no space left */
+ 		return;
+-	length += chk->send_size;
+-	length -= sizeof(struct sctp_data_chunk);
+ 	SCTP_BUF_LEN(m_notify) = 0;
+ 	if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ 		ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++		memset(ssfe, 0, length);
+ 		ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ 		if (sent) {
+ 			ssfe->ssfe_flags = SCTP_DATA_SENT;
+@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ 		} else {
+ 			ssfe->ssfe_flags = SCTP_DATA_UNSENT;
+ 		}
++		length += chk->send_size;
++		length -= sizeof(struct sctp_data_chunk);
+ 		ssfe->ssfe_length = length;
+ 		ssfe->ssfe_error = error;
+ 		/* not exactly what the user sent in, but should be close :) */
+-		bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ 		ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number;
+ 		ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags;
+ 		ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype;
+@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ 		SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ 	} else {
+ 		ssf = mtod(m_notify, struct sctp_send_failed *);
++		memset(ssf, 0, length);
+ 		ssf->ssf_type = SCTP_SEND_FAILED;
+ 		if (sent) {
+ 			ssf->ssf_flags = SCTP_DATA_SENT;
+@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin
+ 		} else {
+ 			ssf->ssf_flags = SCTP_DATA_UNSENT;
+ 		}
++		length += chk->send_size;
++		length -= sizeof(struct sctp_data_chunk);
+ 		ssf->ssf_length = length;
+ 		ssf->ssf_error = error;
+ 		/* not exactly what the user sent in, but should be close :) */
+@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ 		/* no space left */
+ 		return;
+ 	}
+-	length += sp->length;
+ 	SCTP_BUF_LEN(m_notify) = 0;
+ 	if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) {
+ 		ssfe = mtod(m_notify, struct sctp_send_failed_event *);
++		memset(ssfe, 0, length);
+ 		ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT;
+ 		ssfe->ssfe_flags = SCTP_DATA_UNSENT;
++		length += sp->length;
+ 		ssfe->ssfe_length = length;
+ 		ssfe->ssfe_error = error;
+ 		/* not exactly what the user sent in, but should be close :) */
+-		bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info));
+ 		ssfe->ssfe_info.snd_sid = sp->stream;
+ 		if (sp->some_taken) {
+ 			ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG;
+@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui
+ 		SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event);
+ 	} else {
+ 		ssf = mtod(m_notify, struct sctp_send_failed *);
++		memset(ssf, 0, length);
+ 		ssf->ssf_type = SCTP_SEND_FAILED;
+ 		ssf->ssf_flags = SCTP_DATA_UNSENT;
++		length += sp->length;
+ 		ssf->ssf_length = length;
+ 		ssf->ssf_error = error;
+ 		/* not exactly what the user sent in, but should be close :) */
+-		bzero(&ssf->ssf_info, sizeof(ssf->ssf_info));
+ 		ssf->ssf_info.sinfo_stream = sp->stream;
+ 		ssf->ssf_info.sinfo_ssn = 0;
+ 		if (sp->some_taken) {
+@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb
+ 		return;
+ 	SCTP_BUF_LEN(m_notify) = 0;
+ 	sai = mtod(m_notify, struct sctp_adaptation_event *);
++	memset(sai, 0, sizeof(struct sctp_adaptation_event));
+ 	sai->sai_type = SCTP_ADAPTATION_INDICATION;
+ 	sai->sai_flags = 0;
+ 	sai->sai_length = sizeof(struct sctp_adaptation_event);
+@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct
+ 		return;
+ 	SCTP_BUF_LEN(m_notify) = 0;
+ 	pdapi = mtod(m_notify, struct sctp_pdapi_event *);
++	memset(pdapi, 0, sizeof(struct sctp_pdapi_event));
+ 	pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT;
+ 	pdapi->pdapi_flags = 0;
+ 	pdapi->pdapi_length = sizeof(struct sctp_pdapi_event);
+@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb)
+ 		/* no space left */
+ 		return;
+ 	sse = mtod(m_notify, struct sctp_shutdown_event *);
++	memset(sse, 0, sizeof(struct sctp_shutdown_event));
+ 	sse->sse_type = SCTP_SHUTDOWN_EVENT;
+ 	sse->sse_flags = 0;
+ 	sse->sse_length = sizeof(struct sctp_shutdown_event);
+@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb
+ 	}
+ 	SCTP_BUF_LEN(m_notify) = 0;
+ 	event = mtod(m_notify, struct sctp_sender_dry_event *);
++	memset(event, 0, sizeof(struct sctp_sender_dry_event));
+ 	event->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+ 	event->sender_dry_flags = 0;
+ 	event->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ 	struct mbuf *m_notify;
+ 	struct sctp_queued_to_read *control;
+ 	struct sctp_stream_change_event *stradd;
+-	int len;
+ 
+ 	if ((stcb == NULL) ||
+ 	    (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) {
+@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb
+ 		return;
+ 	}
+ 	stcb->asoc.peer_req_out = 0;
+-	m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
++	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_NOWAIT, 1, MT_DATA);
+ 	if (m_notify == NULL)
+ 		/* no space left */
+ 		return;
+ 	SCTP_BUF_LEN(m_notify) = 0;
+-	len = sizeof(struct sctp_stream_change_event);
+-	if (len > M_TRAILINGSPACE(m_notify)) {
+-		/* never enough room */
+-		sctp_m_freem(m_notify);
+-		return;
+-	}
+ 	stradd = mtod(m_notify, struct sctp_stream_change_event *);
++	memset(stradd, 0, sizeof(struct sctp_stream_change_event));
+ 	stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT;
+ 	stradd->strchange_flags = flag;
+-	stradd->strchange_length = len;
++	stradd->strchange_length = sizeof(struct sctp_stream_change_event);
+ 	stradd->strchange_assoc_id = sctp_get_associd(stcb);
+ 	stradd->strchange_instrms = numberin;
+ 	stradd->strchange_outstrms = numberout;
+-	SCTP_BUF_LEN(m_notify) = len;
++	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event);
+ 	SCTP_BUF_NEXT(m_notify) = NULL;
+ 	if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ 		/* no space */
+@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ 	struct mbuf *m_notify;
+ 	struct sctp_queued_to_read *control;
+ 	struct sctp_assoc_reset_event *strasoc;
+-	int len;
+ 
+ 	if ((stcb == NULL) ||
+ 	    (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) {
+@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb
+ 		/* event not enabled */
+ 		return;
+ 	}
+-	m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
++	m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA);
+ 	if (m_notify == NULL)
+ 		/* no space left */
+ 		return;
+ 	SCTP_BUF_LEN(m_notify) = 0;
+-	len = sizeof(struct sctp_assoc_reset_event);
+-	if (len > M_TRAILINGSPACE(m_notify)) {
+-		/* never enough room */
+-		sctp_m_freem(m_notify);
+-		return;
+-	}
+ 	strasoc = mtod(m_notify, struct sctp_assoc_reset_event *);
++	memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event));
+ 	strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT;
+ 	strasoc->assocreset_flags = flag;
+-	strasoc->assocreset_length = len;
++	strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event);
+ 	strasoc->assocreset_assoc_id = sctp_get_associd(stcb);
+ 	strasoc->assocreset_local_tsn = sending_tsn;
+ 	strasoc->assocreset_remote_tsn = recv_tsn;
+-	SCTP_BUF_LEN(m_notify) = len;
++	SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event);
+ 	SCTP_BUF_NEXT(m_notify) = NULL;
+ 	if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) {
+ 		/* no space */
+@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb,
+ 		return;
+ 	}
+ 	strreset = mtod(m_notify, struct sctp_stream_reset_event *);
++	memset(strreset, 0, len);
+ 	strreset->strreset_type = SCTP_STREAM_RESET_EVENT;
+ 	strreset->strreset_flags = flag;
+ 	strreset->strreset_length = len;
+@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so,
+ 		fromlen = 0;
+ 	}
+ 
++	if (filling_sinfo) {
++		memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo));
++	}
+ 	error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp,
+ 	    (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo);
+-	if ((controlp) && (filling_sinfo)) {
++	if (controlp != NULL) {
+ 		/* copy back the sinfo in a CMSG format */
+ 		if (filling_sinfo)
+ 			*controlp = sctp_build_ctl_nchunk(inp,
diff --git a/sys-freebsd/freebsd-sources/freebsd-sources-10.0.0.9999-r3.ebuild b/sys-freebsd/freebsd-sources/freebsd-sources-10.0.0.9999-r4.ebuild
index 3466e8d..f8a1361 100644
--- a/sys-freebsd/freebsd-sources/freebsd-sources-10.0.0.9999-r3.ebuild
+++ b/sys-freebsd/freebsd-sources/freebsd-sources-10.0.0.9999-r4.ebuild
@@ -47,7 +47,8 @@ PATCHES=( "${FILESDIR}/${PN}-9.0-disable-optimization.patch"
 	"${FILESDIR}/${PN}-9.1-cve-2014-1453.patch"
 	"${FILESDIR}/${PN}-9.1-tcp.patch"
 	"${FILESDIR}/${PN}-9.1-ciss.patch"
-	"${FILESDIR}/${PN}-10.0-EN-1407-pmap.patch" )
+	"${FILESDIR}/${PN}-10.0-EN-1407-pmap.patch"
+	"${FILESDIR}/${PN}-10.0-SA-1417-kmem.patch" )
 
 pkg_setup() {
 	# Force set CC=clang. when using gcc, aesni fails to build.