6621369 IP_OPTIONS handling in udp and rawip causes panics, uninitial…

…ized data

usr/src/uts/common/inet/ip/icmp.c

@@ -729,6 +729,7 @@ icmp_close_free(conn_t *connp)
 	if (icmp->icmp_ip_snd_options != NULL) {
 		mi_free((char *)icmp->icmp_ip_snd_options);
 		icmp->icmp_ip_snd_options = NULL;
+		icmp->icmp_ip_snd_options_len = 0;
 	}
 
 	if (icmp->icmp_filter != NULL) {
@@ -743,6 +744,16 @@ icmp_close_free(conn_t *connp)
 		icmp->icmp_sticky_hdrs_len = 0;
 	}
 	ip6_pkt_free(&icmp->icmp_sticky_ipp);
+
+	/*
+	 * Clear any fields which the kmem_cache constructor clears.
+	 * Only icmp_connp needs to be preserved.
+	 * TBD: We should make this more efficient to avoid clearing
+	 * everything.
+	 */
+	ASSERT(icmp->icmp_connp == connp);
+	bzero(icmp, sizeof (icmp_t));
+	icmp->icmp_connp = connp;
 }
 
 static int

usr/src/uts/common/inet/udp/udp.c

@@ -1534,14 +1534,16 @@ udp_close_free(conn_t *connp)
 	udp_t *udp = connp->conn_udp;
 
 	/* If there are any options associated with the stream, free them. */
-	if (udp->udp_ip_snd_options) {
+	if (udp->udp_ip_snd_options != NULL) {
 		mi_free((char *)udp->udp_ip_snd_options);
 		udp->udp_ip_snd_options = NULL;
+		udp->udp_ip_snd_options_len = 0;
 	}
 
-	if (udp->udp_ip_rcv_options) {
+	if (udp->udp_ip_rcv_options != NULL) {
 		mi_free((char *)udp->udp_ip_rcv_options);
 		udp->udp_ip_rcv_options = NULL;
+		udp->udp_ip_rcv_options_len = 0;
 	}
 
 	/* Free memory associated with sticky options */
@@ -1553,6 +1555,16 @@ udp_close_free(conn_t *connp)
 	}
 
 	ip6_pkt_free(&udp->udp_sticky_ipp);
+
+	/*
+	 * Clear any fields which the kmem_cache constructor clears.
+	 * Only udp_connp needs to be preserved.
+	 * TBD: We should make this more efficient to avoid clearing
+	 * everything.
+	 */
+	ASSERT(udp->udp_connp == connp);
+	bzero(udp, sizeof (udp_t));
+	udp->udp_connp = connp;
 }
 
 /*