CVS commit: src/sys/net
Module Name:src Committed By: mrg Date: Wed Jan 31 07:33:18 UTC 2018 Modified Files: src/sys/net: if_ipsec.c Log Message: apply a little more #ifdef INET/INET6. fixes !INET6 builds. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/if_ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if_ipsec.c diff -u src/sys/net/if_ipsec.c:1.2 src/sys/net/if_ipsec.c:1.3 --- src/sys/net/if_ipsec.c:1.2 Mon Jan 15 02:39:53 2018 +++ src/sys/net/if_ipsec.c Wed Jan 31 07:33:18 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_ipsec.c,v 1.2 2018/01/15 02:39:53 knakahara Exp $ */ +/* $NetBSD: if_ipsec.c,v 1.3 2018/01/31 07:33:18 mrg Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.2 2018/01/15 02:39:53 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3 2018/01/31 07:33:18 mrg Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -782,18 +782,30 @@ bad: } struct encap_funcs { +#ifdef INET int (*ef_inet)(struct ipsec_variant *); +#endif +#ifdef INET6 int (*ef_inet6)(struct ipsec_variant *); +#endif }; static struct encap_funcs ipsec_encap_attach = { +#ifdef INET .ef_inet = ipsecif4_attach, +#endif +#ifdef INET6 .ef_inet6 = _attach, +#endif }; static struct encap_funcs ipsec_encap_detach = { +#ifdef INET .ef_inet = ipsecif4_detach, +#endif +#ifdef INET6 .ef_inet6 = _detach, +#endif }; static int
CVS commit: src/sys/net
Module Name:src Committed By: mrg Date: Wed Jan 31 07:33:18 UTC 2018 Modified Files: src/sys/net: if_ipsec.c Log Message: apply a little more #ifdef INET/INET6. fixes !INET6 builds. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/if_ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/sys/net/npf
Le 31/01/2018 à 00:18, Mindaugas Rasiukevicius a écrit : [...] Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. [...] If the npc_hlen value is beyond the packet length, NPF's nbuf interface will catch that, since it performs the bounds check. I meant to say that the IPv6 loop in npf_cache_ip seems suspicious to me. while (nbuf_advance(nbuf, hlen, 0) != NULL) { [...] hlen = (ip6e->ip6e_len + 1) << 3; [...] npc->npc_hlen += hlen; } [continue execution...] Here, if you have a 'hlen' that goes beyond the mbuf, nbuf_advance will fail, and we're not handling this case. npc_hlen got incremented along the way, and it now points past the end of the mbuf. Perhaps that's handled properly later, but in all cases, we ought to handle the error right here instead of processing the packet any further. Note however that NPF is rather at the end of my TODO list, and I'll come back to it later. Maxime
Re: CVS commit: src/sys/net/npf
"Maxime Villard"wrote: > Module Name: src > Committed By: maxv > Date: Fri Dec 15 21:00:26 UTC 2017 > > Modified Files: > src/sys/net/npf: npf.h > > Log Message: > Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to > bypass a certain number of filtering rules. > > Basically there is an integer overflow in npf_cache_ip: npc_hlen is a > 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed > has large extensions. Thanks for discovering and fixing this. I think this is the first serious remote vulnerability in NPF, although limited to IPv6 only. > Fix this by using uint32_t. While here, it seems to me there is also a > memory overflow: still in npf_cache_ip, npc_hlen may be incremented with > a value that goes beyond the mbuf. A minor aspect, but promoting npf_hlen to uint32_t results in wasteful padding in the struct, so it is better to re-order the struct members in this case. If the npc_hlen value is beyond the packet length, NPF's nbuf interface will catch that, since it performs the bounds check. However, I think we should implement some sanity check for the npc_hlen value. RFC 7112 suggests that the IPv6 header chain should not exceed the MTU size (and thus fit in the first fragment, in case of fragmentation). Some value along these lines could be the basis for a sanity check.. -- Mindaugas
CVS commit: src/share/misc
Module Name:src Committed By: ginsbach Date: Tue Jan 30 22:45:12 UTC 2018 Modified Files: src/share/misc: acronyms.comp Log Message: Add more "* as a service" and "software defined *" acronyms To generate a diff of this commit: cvs rdiff -u -r1.189 -r1.190 src/share/misc/acronyms.comp Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/share/misc
Module Name:src Committed By: ginsbach Date: Tue Jan 30 22:45:12 UTC 2018 Modified Files: src/share/misc: acronyms.comp Log Message: Add more "* as a service" and "software defined *" acronyms To generate a diff of this commit: cvs rdiff -u -r1.189 -r1.190 src/share/misc/acronyms.comp Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/share/misc/acronyms.comp diff -u src/share/misc/acronyms.comp:1.189 src/share/misc/acronyms.comp:1.190 --- src/share/misc/acronyms.comp:1.189 Sun Jan 21 14:01:55 2018 +++ src/share/misc/acronyms.comp Tue Jan 30 22:45:12 2018 @@ -1,4 +1,4 @@ -$NetBSD: acronyms.comp,v 1.189 2018/01/21 14:01:55 alnsn Exp $ +$NetBSD: acronyms.comp,v 1.190 2018/01/30 22:45:12 ginsbach Exp $ 3WHS three-way handshake 8VSB 8-state vestigial side band modulation AA anti-aliasing @@ -351,6 +351,7 @@ DPI dots per inch DPL descriptor privilege level DPS Display PostScript DPST display power savings technology +DRAAS disaster recovery as a service DRAM dynamic random access memory DRBG deterministic random bit generator DRI direct rendering infrastructure @@ -560,6 +561,7 @@ HVM hardware virtual machine HZ Hertz I2O intelligent input/output IA information assurance +IAAS infrastructure as a service IANA Internet Assigned Numbers Authority IBC iterated block cipher IBM International Business Machines @@ -840,6 +842,7 @@ NFA nondeterministic finite automaton NFC near-field communication NFCI no functional change intended NFS network file system +NFV network function virtualization NIA next instruction address NIC network information center NIC network interface card @@ -913,6 +916,7 @@ P2P PCI to PCI P2P peer to peer PA phase accumulator PA physical address +PAAS platform as a service PAC phase-amplitude converter PAE physical address extension PAL phase alternating line @@ -1160,7 +1164,9 @@ SDK software development kit SDL Simple Declarative Language SDL Simple Direct-media Layer SDLC {software,system,systems} development life cycle +SDN software defined networking SDRAM synchronous dynamic random access memory +SDS software defined storage SDT syntax-directed translation SEGV segmentation violation SEO search engine optimization
CVS commit: [netbsd-6-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:11:24 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-0]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.12.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.12.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.12.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ah_input.c diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.12.1 --- src/sys/netinet6/ah_input.c:1.59 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ah_input.c Tue Jan 30 22:11:24 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ah_input.c,v 1.59.12.1 2018/01/30 22:11:24 martin Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.12.1 2018/01/30 22:11:24 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i * next header field of the previous header. * This is necessary because AH will be stripped off below. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; ip6 = mtod(m, struct ip6_hdr *); Index: src/sys/netinet6/esp_input.c diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.12.1 --- src/sys/netinet6/esp_input.c:1.50 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/esp_input.c Tue Jan 30 22:11:24 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: esp_input.c,v 1.50.12.1 2018/01/30 22:11:24 martin Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.12.1 2018/01/30 22:11:24 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -834,7 +834,8 @@ noreplaycheck: /* * Set the next header field of the previous header correctly. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; stripsiz = esplen + ivlen; Index: src/sys/netinet6/ipcomp_input.c diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.12.1 --- src/sys/netinet6/ipcomp_input.c:1.38 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ipcomp_input.c Tue Jan 30 22:11:24 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ipcomp_input.c,v 1.38.12.1 2018/01/30 22:11:24 martin Exp $ */ /* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.12.1 2018/01/30 22:11:24 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off m->m_flags |= M_DECRYPTED; /* update next header field */ - prvnxtp = ip6_get_prevhdr(m, off); + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; /*
CVS commit: [netbsd-6-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:11:24 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-0]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.12.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.12.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.12.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:56 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.14.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.14.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ah_input.c diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.14.1 --- src/sys/netinet6/ah_input.c:1.59 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ah_input.c Tue Jan 30 22:10:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i * next header field of the previous header. * This is necessary because AH will be stripped off below. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; ip6 = mtod(m, struct ip6_hdr *); Index: src/sys/netinet6/esp_input.c diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.14.1 --- src/sys/netinet6/esp_input.c:1.50 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/esp_input.c Tue Jan 30 22:10:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -834,7 +834,8 @@ noreplaycheck: /* * Set the next header field of the previous header correctly. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; stripsiz = esplen + ivlen; Index: src/sys/netinet6/ipcomp_input.c diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.14.1 --- src/sys/netinet6/ipcomp_input.c:1.38 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ipcomp_input.c Tue Jan 30 22:10:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $ */ /* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off m->m_flags |= M_DECRYPTED; /* update next header field */ - prvnxtp = ip6_get_prevhdr(m, off); + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; /*
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:56 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.14.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.14.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:20 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:20 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ah_input.c diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.8.1 --- src/sys/netinet6/ah_input.c:1.59 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ah_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i * next header field of the previous header. * This is necessary because AH will be stripped off below. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; ip6 = mtod(m, struct ip6_hdr *); Index: src/sys/netinet6/esp_input.c diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.8.1 --- src/sys/netinet6/esp_input.c:1.50 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/esp_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -834,7 +834,8 @@ noreplaycheck: /* * Set the next header field of the previous header correctly. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; stripsiz = esplen + ivlen; Index: src/sys/netinet6/ipcomp_input.c diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.8.1 --- src/sys/netinet6/ipcomp_input.c:1.38 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ipcomp_input.c Tue Jan 30 22:10:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $ */ /* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off m->m_flags |= M_DECRYPTED; /* update next header field */ - prvnxtp = ip6_get_prevhdr(m, off); + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; /*
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 20:20:38 UTC 2018 Modified Files: src/sys/dev/ic: mpt_netbsd.c Log Message: Move mpt_disc_enable setting into is_scsi block. The field is only 16 bits, and is only refered to in the is_scsi case. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 src/sys/dev/ic/mpt_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/mpt_netbsd.c diff -u src/sys/dev/ic/mpt_netbsd.c:1.33 src/sys/dev/ic/mpt_netbsd.c:1.34 --- src/sys/dev/ic/mpt_netbsd.c:1.33 Mon May 2 19:18:29 2016 +++ src/sys/dev/ic/mpt_netbsd.c Tue Jan 30 20:20:38 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: mpt_netbsd.c,v 1.33 2016/05/02 19:18:29 christos Exp $ */ +/* $NetBSD: mpt_netbsd.c,v 1.34 2018/01/30 20:20:38 jakllsch Exp $ */ /* * Copyright (c) 2003 Wasabi Systems, Inc. @@ -77,7 +77,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: mpt_netbsd.c,v 1.33 2016/05/02 19:18:29 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: mpt_netbsd.c,v 1.34 2018/01/30 20:20:38 jakllsch Exp $"); #include "bio.h" @@ -1121,12 +1121,6 @@ mpt_set_xfer_mode(mpt_softc_t *mpt, stru { fCONFIG_PAGE_SCSI_DEVICE_1 tmp; - /* - * Always allow disconnect; we don't have a way to disable - * it right now, in any case. - */ - mpt->mpt_disc_enable |= (1 << xm->xm_target); - if (xm->xm_mode & PERIPH_CAP_TQING) mpt->mpt_tag_enable |= (1 << xm->xm_target); else @@ -1134,6 +1128,12 @@ mpt_set_xfer_mode(mpt_softc_t *mpt, stru if (mpt->is_scsi) { /* + * Always allow disconnect; we don't have a way to disable + * it right now, in any case. + */ + mpt->mpt_disc_enable |= (1 << xm->xm_target); + + /* * SCSI transport settings only make any sense for * SCSI */
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 20:20:38 UTC 2018 Modified Files: src/sys/dev/ic: mpt_netbsd.c Log Message: Move mpt_disc_enable setting into is_scsi block. The field is only 16 bits, and is only refered to in the is_scsi case. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 src/sys/dev/ic/mpt_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 20:15:41 UTC 2018 Modified Files: src/sys/dev/ic: mpt.c Log Message: more-fully initialize mpt_disc_enable To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/dev/ic/mpt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 20:15:41 UTC 2018 Modified Files: src/sys/dev/ic: mpt.c Log Message: more-fully initialize mpt_disc_enable To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/dev/ic/mpt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/mpt.c diff -u src/sys/dev/ic/mpt.c:1.17 src/sys/dev/ic/mpt.c:1.18 --- src/sys/dev/ic/mpt.c:1.17 Sat Sep 27 16:14:16 2014 +++ src/sys/dev/ic/mpt.c Tue Jan 30 20:15:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: mpt.c,v 1.17 2014/09/27 16:14:16 jmcneill Exp $ */ +/* $NetBSD: mpt.c,v 1.18 2018/01/30 20:15:41 jakllsch Exp $ */ /* * Copyright (c) 2000, 2001 by Greg Ansley @@ -110,7 +110,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: mpt.c,v 1.17 2014/09/27 16:14:16 jmcneill Exp $"); +__KERNEL_RCSID(0, "$NetBSD: mpt.c,v 1.18 2018/01/30 20:15:41 jakllsch Exp $"); #include @@ -940,7 +940,7 @@ mpt_set_initial_config_spi(mpt_softc_t * { int i, pp1val = ((1 << mpt->mpt_ini_id) << 16) | mpt->mpt_ini_id; - mpt->mpt_disc_enable = 0xff; + mpt->mpt_disc_enable = 0x; mpt->mpt_tag_enable = 0; if (mpt->mpt_port_page1.Configuration != pp1val) {
CVS commit: src/sys/arch/shark/isa
Module Name:src Committed By: skrll Date: Tue Jan 30 19:22:28 UTC 2018 Modified Files: src/sys/arch/shark/isa: isa_irq.S Log Message: whitespace To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/arch/shark/isa/isa_irq.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/arch/shark/isa/isa_irq.S diff -u src/sys/arch/shark/isa/isa_irq.S:1.16 src/sys/arch/shark/isa/isa_irq.S:1.17 --- src/sys/arch/shark/isa/isa_irq.S:1.16 Mon Dec 2 18:36:11 2013 +++ src/sys/arch/shark/isa/isa_irq.S Tue Jan 30 19:22:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: isa_irq.S,v 1.16 2013/12/02 18:36:11 joerg Exp $ */ +/* $NetBSD: isa_irq.S,v 1.17 2018/01/30 19:22:28 skrll Exp $ */ /* * Copyright 1997 @@ -134,7 +134,7 @@ ASENTRY_NP(irq_entry) ldr r0, .Lvam_io_data ldr r0, [r0] ldrb r8, [r0, #IO_ICU1]/* ocw3 = irr */ - + /* clear the IRR bits that are currently masked. */ ldr r2, .Li8259_mask ldr r2, [r2] @@ -197,7 +197,7 @@ ASENTRY_NP(irq_entry) mvn r2, r2 orr r0, r0, r2 - str r0, [r1] + str r0, [r1] ldr r1, [r4, #CI_CPL] str r9, [r4, #CI_CPL]
CVS commit: src/sys/arch/shark/isa
Module Name:src Committed By: skrll Date: Tue Jan 30 19:22:28 UTC 2018 Modified Files: src/sys/arch/shark/isa: isa_irq.S Log Message: whitespace To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/arch/shark/isa/isa_irq.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 19:13:09 UTC 2018 Modified Files: src/sys/dev/ic: mpt_netbsd.h Log Message: remove unused softc variables To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/dev/ic/mpt_netbsd.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/ic/mpt_netbsd.h diff -u src/sys/dev/ic/mpt_netbsd.h:1.11 src/sys/dev/ic/mpt_netbsd.h:1.12 --- src/sys/dev/ic/mpt_netbsd.h:1.11 Tue Apr 1 23:57:54 2014 +++ src/sys/dev/ic/mpt_netbsd.h Tue Jan 30 19:13:08 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: mpt_netbsd.h,v 1.11 2014/04/01 23:57:54 buhrow Exp $ */ +/* $NetBSD: mpt_netbsd.h,v 1.12 2018/01/30 19:13:08 jakllsch Exp $ */ /* * Copyright (c) 2003 Wasabi Systems, Inc. @@ -193,8 +193,6 @@ typedef struct mpt_softc { fCONFIG_PAGE_SCSI_DEVICE_1 _dev_page1[16]; uint16_t _tag_enable; uint16_t _disc_enable; - uint16_t _update_params0; - uint16_t _update_params1; uint16_t _report_xfer_mode; } spi; #define mpt_port_page0 cfg.spi._port_page0 @@ -204,8 +202,6 @@ typedef struct mpt_softc { #define mpt_dev_page1 cfg.spi._dev_page1 #define mpt_tag_enable cfg.spi._tag_enable #define mpt_disc_enable cfg.spi._disc_enable -#define mpt_update_params0 cfg.spi._update_params0 -#define mpt_update_params1 cfg.spi._update_params1 #define mpt_report_xfer_mode cfg.spi._report_xfer_mode struct mpt_fc_cfg {
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 19:13:09 UTC 2018 Modified Files: src/sys/dev/ic: mpt_netbsd.h Log Message: remove unused softc variables To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/dev/ic/mpt_netbsd.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:48:17 UTC 2018 Modified Files: src/doc [netbsd-6-0]: CHANGES-6.0.7 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.123 -r1.1.2.124 src/doc/CHANGES-6.0.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:48:17 UTC 2018 Modified Files: src/doc [netbsd-6-0]: CHANGES-6.0.7 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.123 -r1.1.2.124 src/doc/CHANGES-6.0.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.0.7 diff -u src/doc/CHANGES-6.0.7:1.1.2.123 src/doc/CHANGES-6.0.7:1.1.2.124 --- src/doc/CHANGES-6.0.7:1.1.2.123 Mon Jan 29 19:31:26 2018 +++ src/doc/CHANGES-6.0.7 Tue Jan 30 18:48:17 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.0.7,v 1.1.2.123 2018/01/29 19:31:26 martin Exp $ +# $NetBSD: CHANGES-6.0.7,v 1.1.2.124 2018/01/30 18:48:17 martin Exp $ A complete list of changes from the NetBSD 6.0.6 release to the NetBSD 6.0.7 release: @@ -15287,3 +15287,14 @@ sys/netipsec/xform_ah.c1.76 Fix a remote DoS vulnerability in IPsec-AH. [maxv, ticket #1521] +sys/netinet6/frag6.c1.65 +sys/netinet6/ip6_input.c 1.187 +sys/netinet6/ip6_var.h1.78 +sys/netinet6/raw_ip6.c1.160 (via patch) +sys/netinet6/ah_input.cadjust other callers (patch) +sys/netinet6/esp_input.c adjust other callers (patch) +sys/netinet6/ipcomp_input.c adjust other callers (patch) + + Fix a memory corruption in ip6_get_prevhdr(). + [maxv, ticket #1523] +
CVS commit: [netbsd-6-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:47:35 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.1.4.1 -r1.52.2.1.4.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.6.1 -r1.136.6.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.6.1 -r1.58.6.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.6.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.52.2.1.4.1 src/sys/netinet6/frag6.c:1.52.2.1.4.2 --- src/sys/netinet6/frag6.c:1.52.2.1.4.1 Thu Oct 25 17:26:18 2012 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:47:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.52.2.1.4.1 2012/10/25 17:26:18 riz Exp $ */ +/* $NetBSD: frag6.c,v 1.52.2.1.4.2 2018/01/30 18:47:35 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.1.4.1 2012/10/25 17:26:18 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.1.4.2 2018/01/30 18:47:35 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -461,6 +453,21 @@ insert: m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.136.6.1 src/sys/netinet6/ip6_input.c:1.136.6.2 --- src/sys/netinet6/ip6_input.c:1.136.6.1 Mon Jul 8 07:40:34 2013 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:47:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.136.6.1 2013/07/08 07:40:34 jdc Exp $ */ +/* $NetBSD: ip6_input.c,v 1.136.6.2 2018/01/30 18:47:35 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.6.1 2013/07/08 07:40:34 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.6.2 2018/01/30 18:47:35 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header * currently
CVS commit: [netbsd-6-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:47:35 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.1.4.1 -r1.52.2.1.4.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.6.1 -r1.136.6.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.6.1 -r1.58.6.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.6.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:46:45 UTC 2018 Modified Files: src/doc [netbsd-6-1]: CHANGES-6.1.6 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.120 -r1.1.2.121 src/doc/CHANGES-6.1.6 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.1.6 diff -u src/doc/CHANGES-6.1.6:1.1.2.120 src/doc/CHANGES-6.1.6:1.1.2.121 --- src/doc/CHANGES-6.1.6:1.1.2.120 Mon Jan 29 19:29:48 2018 +++ src/doc/CHANGES-6.1.6 Tue Jan 30 18:46:45 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.1.6,v 1.1.2.120 2018/01/29 19:29:48 martin Exp $ +# $NetBSD: CHANGES-6.1.6,v 1.1.2.121 2018/01/30 18:46:45 martin Exp $ A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6 release: @@ -14960,3 +14960,14 @@ sys/netipsec/xform_ah.c1.76 Fix a remote DoS vulnerability in IPsec-AH. [maxv, ticket #1521] +sys/netinet6/frag6.c1.65 +sys/netinet6/ip6_input.c 1.187 +sys/netinet6/ip6_var.h1.78 +sys/netinet6/raw_ip6.c1.160 (via patch) +sys/netinet6/ah_input.cadjust other callers (patch) +sys/netinet6/esp_input.c adjust other callers (patch) +sys/netinet6/ipcomp_input.c adjust other callers (patch) + + Fix a memory corruption in ip6_get_prevhdr(). + [maxv, ticket #1523] +
CVS commit: [netbsd-6-1] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:46:45 UTC 2018 Modified Files: src/doc [netbsd-6-1]: CHANGES-6.1.6 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.120 -r1.1.2.121 src/doc/CHANGES-6.1.6 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:45:59 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.2.2.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.8.1 -r1.58.8.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.8.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.2.2.1 --- src/sys/netinet6/frag6.c:1.52.2.2 Thu Oct 25 17:23:33 2012 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:45:59 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $ */ +/* $NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -461,6 +453,21 @@ insert: m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.136.8.1 src/sys/netinet6/ip6_input.c:1.136.8.2 --- src/sys/netinet6/ip6_input.c:1.136.8.1 Mon Jul 8 07:40:56 2013 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:45:59 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $ */ +/* $NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header * currently processed. - * XXX: This
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:45:59 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.2.2.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.8.1 -r1.58.8.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.8.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:45:16 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.316 -r1.1.2.317 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-6.2 diff -u src/doc/CHANGES-6.2:1.1.2.316 src/doc/CHANGES-6.2:1.1.2.317 --- src/doc/CHANGES-6.2:1.1.2.316 Mon Jan 29 19:27:05 2018 +++ src/doc/CHANGES-6.2 Tue Jan 30 18:45:16 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-6.2,v 1.1.2.316 2018/01/29 19:27:05 martin Exp $ +# $NetBSD: CHANGES-6.2,v 1.1.2.317 2018/01/30 18:45:16 martin Exp $ A complete list of changes from the 6.1 release until the 6.2 release: @@ -21017,3 +21017,15 @@ sys/netipsec/xform_ah.c1.76 Fix a remote DoS vulnerability in IPsec-AH. [maxv, ticket #1521] +sys/netinet6/frag6.c1.65 +sys/netinet6/ip6_input.c 1.187 +sys/netinet6/ip6_var.h1.78 +sys/netinet6/raw_ip6.c1.160 (via patch) +sys/netinet6/ah_input.cadjust other callers (patch) +sys/netinet6/esp_input.c adjust other callers (patch) +sys/netinet6/ipcomp_input.c adjust other callers (patch) + + Fix a memory corruption in ip6_get_prevhdr(). + [maxv, ticket #1523] + +
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:45:16 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.316 -r1.1.2.317 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:44:22 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.3 --- src/sys/netinet6/frag6.c:1.52.2.2 Thu Oct 25 17:23:33 2012 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:44:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $ */ +/* $NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -461,6 +453,21 @@ insert: m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.136.2.1 src/sys/netinet6/ip6_input.c:1.136.2.2 --- src/sys/netinet6/ip6_input.c:1.136.2.1 Mon Jul 8 07:40:07 2013 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:44:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $ */ +/* $NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header * currently processed. - * XXX: This function supposes that
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:44:22 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:32:34 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.74 -r1.1.2.75 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.0.3 diff -u src/doc/CHANGES-7.0.3:1.1.2.74 src/doc/CHANGES-7.0.3:1.1.2.75 --- src/doc/CHANGES-7.0.3:1.1.2.74 Mon Jan 29 19:44:06 2018 +++ src/doc/CHANGES-7.0.3 Tue Jan 30 18:32:34 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.0.3,v 1.1.2.74 2018/01/29 19:44:06 martin Exp $ +# $NetBSD: CHANGES-7.0.3,v 1.1.2.75 2018/01/30 18:32:34 martin Exp $ A complete list of changes from the NetBSD 7.0.2 release to the NetBSD 7.0.3 release: @@ -5195,3 +5195,11 @@ sys/netipsec/xform_ah.c1.76 Fix a remote DoS vulnerability in IPsec-AH. [maxv, ticket #1557] +sys/netinet6/frag6.c1.65 +sys/netinet6/ip6_input.c 1.187 +sys/netinet6/ip6_var.h1.78 +sys/netinet6/raw_ip6.c1.160 (via patch) + + Fix a memory corruption in ip6_get_prevhdr(). + [maxv, ticket #1560] +
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:32:34 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.74 -r1.1.2.75 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:31:53 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.1.2.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.1.2.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136 -r1.136.6.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:31:53 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.1.2.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.1.2.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136 -r1.136.6.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55 src/sys/netinet6/frag6.c:1.55.6.1 --- src/sys/netinet6/frag6.c:1.55 Fri Aug 30 07:42:08 2013 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:31:53 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $ */ +/* $NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -456,11 +448,30 @@ insert: if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */ int plen = 0; - for (t = m; t; t = t->m_next) + for (t = m; t; t = t->m_next) { + /* + * XXX XXX Why don't we remove M_PKTHDR? + */ plen += t->m_len; + } m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.149.2.1 src/sys/netinet6/ip6_input.c:1.149.2.1.2.1 --- src/sys/netinet6/ip6_input.c:1.149.2.1 Fri Jan 23 09:27:15 2015 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:31:53 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $ */ +/* $NetBSD: ip6_input.c,v 1.149.2.1.2.1 2018/01/30 18:31:53 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1.2.1 2018/01/30 18:31:53 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1384,50 +1384,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:31:12 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.2 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.1.2 diff -u src/doc/CHANGES-7.1.2:1.1.2.4 src/doc/CHANGES-7.1.2:1.1.2.5 --- src/doc/CHANGES-7.1.2:1.1.2.4 Mon Jan 29 19:42:47 2018 +++ src/doc/CHANGES-7.1.2 Tue Jan 30 18:31:12 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.1.2,v 1.1.2.4 2018/01/29 19:42:47 martin Exp $ +# $NetBSD: CHANGES-7.1.2,v 1.1.2.5 2018/01/30 18:31:12 martin Exp $ A complete list of changes from the NetBSD 7.1.1 release to the NetBSD 7.1.2 release: @@ -83,3 +83,11 @@ sys/netipsec/xform_ah.c1.76 Fix a remote DoS vulnerability in IPsec-AH. [maxv, ticket #1557] +sys/netinet6/frag6.c1.65 +sys/netinet6/ip6_input.c 1.187 +sys/netinet6/ip6_var.h1.78 +sys/netinet6/raw_ip6.c1.160 (via patch) + + Fix a memory corruption in ip6_get_prevhdr(). + [maxv, ticket #1560] +
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:31:12 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.2 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:30:31 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.10.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.1.6.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.1.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136.2.1 -r1.136.2.1.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:30:31 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.10.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.1.6.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.1.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136.2.1 -r1.136.2.1.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55 src/sys/netinet6/frag6.c:1.55.10.1 --- src/sys/netinet6/frag6.c:1.55 Fri Aug 30 07:42:08 2013 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:30:31 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $ */ +/* $NetBSD: frag6.c,v 1.55.10.1 2018/01/30 18:30:31 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.10.1 2018/01/30 18:30:31 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -456,11 +448,30 @@ insert: if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */ int plen = 0; - for (t = m; t; t = t->m_next) + for (t = m; t; t = t->m_next) { + /* + * XXX XXX Why don't we remove M_PKTHDR? + */ plen += t->m_len; + } m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.149.2.1 src/sys/netinet6/ip6_input.c:1.149.2.1.6.1 --- src/sys/netinet6/ip6_input.c:1.149.2.1 Fri Jan 23 09:27:15 2015 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:30:31 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $ */ +/* $NetBSD: ip6_input.c,v 1.149.2.1.6.1 2018/01/30 18:30:31 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1.6.1 2018/01/30 18:30:31 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1384,50 +1384,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:29:25 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.60 -r1.1.2.61 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:29:25 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.60 -r1.1.2.61 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-7.2 diff -u src/doc/CHANGES-7.2:1.1.2.60 src/doc/CHANGES-7.2:1.1.2.61 --- src/doc/CHANGES-7.2:1.1.2.60 Mon Jan 29 19:40:17 2018 +++ src/doc/CHANGES-7.2 Tue Jan 30 18:29:25 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-7.2,v 1.1.2.60 2018/01/29 19:40:17 martin Exp $ +# $NetBSD: CHANGES-7.2,v 1.1.2.61 2018/01/30 18:29:25 martin Exp $ A complete list of changes from the NetBSD 7.1 release to the NetBSD 7.2 release: @@ -5066,3 +5066,11 @@ sys/netipsec/xform_ah.c1.76 Fix a remote DoS vulnerability in IPsec-AH. [maxv, ticket #1557] +sys/netinet6/frag6.c1.65 +sys/netinet6/ip6_input.c 1.187 +sys/netinet6/ip6_var.h1.78 +sys/netinet6/raw_ip6.c1.160 (via patch) + + Fix a memory corruption in ip6_get_prevhdr(). + [maxv, ticket #1560] +
CVS commit: [netbsd-7] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:28:46 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.4.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:28:46 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.4.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.55 src/sys/netinet6/frag6.c:1.55.4.1 --- src/sys/netinet6/frag6.c:1.55 Fri Aug 30 07:42:08 2013 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:28:45 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $ */ +/* $NetBSD: frag6.c,v 1.55.4.1 2018/01/30 18:28:45 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.4.1 2018/01/30 18:28:45 martin Exp $"); #include #include @@ -441,14 +441,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -456,11 +448,30 @@ insert: if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */ int plen = 0; - for (t = m; t; t = t->m_next) + for (t = m; t; t = t->m_next) { + /* + * XXX XXX Why don't we remove M_PKTHDR? + */ plen += t->m_len; + } m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.149.2.1 src/sys/netinet6/ip6_input.c:1.149.2.2 --- src/sys/netinet6/ip6_input.c:1.149.2.1 Fri Jan 23 09:27:15 2015 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:28:45 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $ */ +/* $NetBSD: ip6_input.c,v 1.149.2.2 2018/01/30 18:28:45 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.2 2018/01/30 18:28:45 martin Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -1384,50 +1384,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header * currently
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:22:29 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Ticket #527 To generate a diff of this commit: cvs rdiff -u -r1.1.2.107 -r1.1.2.108 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/doc/CHANGES-8.0 diff -u src/doc/CHANGES-8.0:1.1.2.107 src/doc/CHANGES-8.0:1.1.2.108 --- src/doc/CHANGES-8.0:1.1.2.107 Fri Jan 26 19:53:10 2018 +++ src/doc/CHANGES-8.0 Tue Jan 30 18:22:29 2018 @@ -1,4 +1,4 @@ -# $NetBSD: CHANGES-8.0,v 1.1.2.107 2018/01/26 19:53:10 martin Exp $ +# $NetBSD: CHANGES-8.0,v 1.1.2.108 2018/01/30 18:22:29 martin Exp $ A complete list of changes from the initial NetBSD 8.0 branch on 2017-06-04 until the 8.0 release: @@ -9264,3 +9264,11 @@ sys/netipsec/xform_ah.c1.75-1.76 to remotely crash the kernel with a single packet. [maxv, ticket #512] +sys/netinet6/frag6.c1.65 +sys/netinet6/ip6_input.c 1.187 +sys/netinet6/ip6_var.h1.78 +sys/netinet6/raw_ip6.c1.160 + + Fix a memory corruption in ip6_get_prevhdr(). + [maxv, ticket #527] +
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:22:29 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Ticket #527 To generate a diff of this commit: cvs rdiff -u -r1.1.2.107 -r1.1.2.108 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:21:10 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #527): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.60.6.1 -r1.60.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.178.2.3 -r1.178.2.4 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.74 -r1.74.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.157.2.1 -r1.157.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.60.6.1 src/sys/netinet6/frag6.c:1.60.6.2 --- src/sys/netinet6/frag6.c:1.60.6.1 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:21:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.60.6.1 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: frag6.c,v 1.60.6.2 2018/01/30 18:21:09 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.1 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.2 2018/01/30 18:21:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -442,14 +442,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -457,11 +449,30 @@ insert: if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */ int plen = 0; - for (t = m; t; t = t->m_next) + for (t = m; t; t = t->m_next) { + /* + * XXX XXX Why don't we remove M_PKTHDR? + */ plen += t->m_len; + } m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); rtcache_unref(rt, ); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.178.2.3 src/sys/netinet6/ip6_input.c:1.178.2.4 --- src/sys/netinet6/ip6_input.c:1.178.2.3 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:21:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.178.2.3 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: ip6_input.c,v 1.178.2.4 2018/01/30 18:21:09 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.3 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.4 2018/01/30 18:21:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -1405,50 +1405,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:21:10 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #527): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.60.6.1 -r1.60.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.178.2.3 -r1.178.2.4 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.74 -r1.74.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.157.2.1 -r1.157.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 15:54:03 UTC 2018 Modified Files: src/sys/netinet6: in6.h ip6_input.c ip6_var.h Log Message: Style, localify, remove dead code, and fix typos. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.88 -r1.89 src/sys/netinet6/in6.h cvs rdiff -u -r1.188 -r1.189 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.78 -r1.79 src/sys/netinet6/ip6_var.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 15:54:03 UTC 2018 Modified Files: src/sys/netinet6: in6.h ip6_input.c ip6_var.h Log Message: Style, localify, remove dead code, and fix typos. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.88 -r1.89 src/sys/netinet6/in6.h cvs rdiff -u -r1.188 -r1.189 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.78 -r1.79 src/sys/netinet6/ip6_var.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6.h diff -u src/sys/netinet6/in6.h:1.88 src/sys/netinet6/in6.h:1.89 --- src/sys/netinet6/in6.h:1.88 Wed Jan 10 10:56:30 2018 +++ src/sys/netinet6/in6.h Tue Jan 30 15:54:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: in6.h,v 1.88 2018/01/10 10:56:30 knakahara Exp $ */ +/* $NetBSD: in6.h,v 1.89 2018/01/30 15:54:02 maxv Exp $ */ /* $KAME: in6.h,v 1.83 2001/03/29 02:55:07 jinmei Exp $ */ /* @@ -555,7 +555,7 @@ struct ip6_mtuinfo { #define IPV6CTL_MRTPROTO 8 /* multicast routing protocol */ #define IPV6CTL_MAXFRAGPACKETS 9 /* max packets reassembly queue */ #define IPV6CTL_SOURCECHECK 10 /* verify source route and intf */ -#define IPV6CTL_SOURCECHECK_LOGINT 11 /* minimume logging interval */ +#define IPV6CTL_SOURCECHECK_LOGINT 11 /* minimum logging interval */ #define IPV6CTL_ACCEPT_RTADV 12 #define IPV6CTL_KEEPFAITH 13 #define IPV6CTL_LOG_INTERVAL 14 Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.188 src/sys/netinet6/ip6_input.c:1.189 --- src/sys/netinet6/ip6_input.c:1.188 Tue Jan 30 15:35:31 2018 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 15:54:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.188 2018/01/30 15:35:31 maxv Exp $ */ +/* $NetBSD: ip6_input.c,v 1.189 2018/01/30 15:54:02 maxv Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.188 2018/01/30 15:35:31 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.189 2018/01/30 15:54:02 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -141,7 +141,7 @@ static void ip6intr(void *); static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *); static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *, - u_int32_t *); +u_int32_t *); static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); static void sysctl_net_inet6_ip6_setup(struct sysctllog **); @@ -855,14 +855,14 @@ ip6_hopopts_input(u_int32_t *plenp, u_in /* validation of the length of the header */ IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, - sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); + sizeof(struct ip6_hdr), sizeof(struct ip6_hbh)); if (hbh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); return -1; } hbhlen = (hbh->ip6h_len + 1) << 3; IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr), - hbhlen); + hbhlen); if (hbh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); return -1; @@ -872,12 +872,12 @@ ip6_hopopts_input(u_int32_t *plenp, u_in hbhlen -= sizeof(struct ip6_hbh); if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), -hbhlen, rtalertp, plenp) < 0) - return (-1); + hbhlen, rtalertp, plenp) < 0) + return -1; *offp = off; *mp = m; - return (0); + return 0; } /* @@ -1402,7 +1402,7 @@ ip6_get_prevhdr(struct mbuf *m, int off) /* * get next header offset. m will be retained. */ -int +static int ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) { struct ip6_hdr ip6; @@ -1411,7 +1411,7 @@ ip6_nexthdr(struct mbuf *m, int off, int /* just in case */ if (m == NULL) - panic("ip6_nexthdr: m == NULL"); + panic("%s: m == NULL", __func__); if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off) return -1; @@ -1566,11 +1566,6 @@ sysctl_net_inet6_ip6_stats(SYSCTLFN_ARGS static void sysctl_net_inet6_ip6_setup(struct sysctllog **clog) { -#ifdef RFC2292 -#define IS2292(x, y) ((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y)) -#else -#define IS2292(x, y) (y) -#endif sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT, @@ -1614,26 +1609,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl CTL_NET, PF_INET6, IPPROTO_IPV6, IPV6CTL_DEFMTU, CTL_EOL); #endif -#ifdef __no_idea__ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "forwsrcrt", NULL, - NULL, 0, &?, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_FORWSRCRT, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_STRUCT, "mrtstats", NULL, - NULL, 0, &?, sizeof(?), - CTL_NET, PF_INET6, IPPROTO_IPV6, - IPV6CTL_MRTSTATS, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_?, "mrtproto", NULL, -
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 15:35:31 UTC 2018 Modified Files: src/sys/netinet6: ip6_input.c Log Message: Kick nested fragments. To generate a diff of this commit: cvs rdiff -u -r1.187 -r1.188 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 15:35:31 UTC 2018 Modified Files: src/sys/netinet6: ip6_input.c Log Message: Kick nested fragments. To generate a diff of this commit: cvs rdiff -u -r1.187 -r1.188 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.187 src/sys/netinet6/ip6_input.c:1.188 --- src/sys/netinet6/ip6_input.c:1.187 Tue Jan 30 14:49:25 2018 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 15:35:31 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.187 2018/01/30 14:49:25 maxv Exp $ */ +/* $NetBSD: ip6_input.c,v 1.188 2018/01/30 15:35:31 maxv Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.187 2018/01/30 14:49:25 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.188 2018/01/30 15:35:31 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -248,7 +248,7 @@ ip6_input(struct mbuf *m, struct ifnet * int hit, off = sizeof(struct ip6_hdr), nest; u_int32_t plen; u_int32_t rtalert = ~0; - int nxt, ours = 0, rh_present = 0; + int nxt, ours = 0, rh_present = 0, frg_present; struct ifnet *deliverifp = NULL; int srcrt = 0; struct rtentry *rt = NULL; @@ -741,6 +741,7 @@ hbhcheck: percpu_putref(ip6_forward_rt_percpu); rh_present = 0; + frg_present = 0; while (nxt != IPPROTO_DONE) { if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { IP6_STATINC(IP6_STAT_TOOMANYHDR); @@ -764,6 +765,12 @@ hbhcheck: IP6_STATINC(IP6_STAT_BADOPTIONS); goto bad; } + } else if (nxt == IPPROTO_FRAGMENT) { + if (frg_present++) { +in6_ifstat_inc(rcvif, ifs6_in_hdrerr); +IP6_STATINC(IP6_STAT_BADOPTIONS); +goto bad; + } } #ifdef IPSEC
CVS commit: src/crypto/external/bsd/libsaslc/dist/src
Module Name:src Committed By: shm Date: Tue Jan 30 15:28:39 UTC 2018 Modified Files: src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c Log Message: Fixed memory leak (CID: 977744) To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 \ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c diff -u src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.12 src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.13 --- src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.12 Tue Jan 30 13:11:28 2018 +++ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c Tue Jan 30 15:28:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: mech_digestmd5.c,v 1.12 2018/01/30 13:11:28 shm Exp $ */ +/* $NetBSD: mech_digestmd5.c,v 1.13 2018/01/30 15:28:39 shm Exp $ */ /* Copyright (c) 2010 The NetBSD Foundation, Inc. * All rights reserved. @@ -35,7 +35,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__RCSID("$NetBSD: mech_digestmd5.c,v 1.12 2018/01/30 13:11:28 shm Exp $"); +__RCSID("$NetBSD: mech_digestmd5.c,v 1.13 2018/01/30 15:28:39 shm Exp $"); #include @@ -860,7 +860,7 @@ choose_realm(saslc_sess_t *sess, const c { const char *user_realms; list_t *l; - char *p; + char *p = NULL; /*/ /* The realm containing the user's account. This directive is */ @@ -926,6 +926,7 @@ choose_realm(saslc_sess_t *sess, const c return p; } use_1st_realm: + free(p); if ((p = strdup(realms->value)) == NULL) goto nomem; return p;
CVS commit: src/crypto/external/bsd/libsaslc/dist/src
Module Name:src Committed By: shm Date: Tue Jan 30 15:28:39 UTC 2018 Modified Files: src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c Log Message: Fixed memory leak (CID: 977744) To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 \ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 14:49:25 UTC 2018 Modified Files: src/sys/netinet6: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/sys/netinet6/frag6.c cvs rdiff -u -r1.186 -r1.187 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.77 -r1.78 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.159 -r1.160 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.64 src/sys/netinet6/frag6.c:1.65 --- src/sys/netinet6/frag6.c:1.64 Thu Jan 25 20:55:15 2018 +++ src/sys/netinet6/frag6.c Tue Jan 30 14:49:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.64 2018/01/25 20:55:15 maxv Exp $ */ +/* $NetBSD: frag6.c,v 1.65 2018/01/30 14:49:25 maxv Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.64 2018/01/25 20:55:15 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.65 2018/01/30 14:49:25 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -467,14 +467,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -482,11 +474,30 @@ insert: if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */ int plen = 0; - for (t = m; t; t = t->m_next) + for (t = m; t; t = t->m_next) { + /* + * XXX XXX Why don't we remove M_PKTHDR? + */ plen += t->m_len; + } m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); rtcache_unref(rt, ); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.186 src/sys/netinet6/ip6_input.c:1.187 --- src/sys/netinet6/ip6_input.c:1.186 Mon Jan 29 10:57:13 2018 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 14:49:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.186 2018/01/29 10:57:13 maxv Exp $ */ +/* $NetBSD: ip6_input.c,v 1.187 2018/01/30 14:49:25 maxv Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.186 2018/01/29 10:57:13 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.187 2018/01/30 14:49:25 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -1351,50 +1351,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header followed by the header * currently processed. - * XXX: This function supposes that - * M includes all headers, - * the next header field and the header length field of each header - * are valid, and - * the sum of each header length equals to OFF. - * Because of these assumptions, this function must be called very - * carefully. Moreover, it
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 14:49:25 UTC 2018 Modified Files: src/sys/netinet6: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/sys/netinet6/frag6.c cvs rdiff -u -r1.186 -r1.187 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.77 -r1.78 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.159 -r1.160 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/crypto/external/bsd/libsaslc/dist/src
Module Name:src Committed By: shm Date: Tue Jan 30 13:11:28 UTC 2018 Modified Files: src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c Log Message: Fixed potential NULL pointer dereference (CID: 978477) To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 \ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c diff -u src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.11 src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.12 --- src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.11 Fri Jun 28 15:04:35 2013 +++ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c Tue Jan 30 13:11:28 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: mech_digestmd5.c,v 1.11 2013/06/28 15:04:35 joerg Exp $ */ +/* $NetBSD: mech_digestmd5.c,v 1.12 2018/01/30 13:11:28 shm Exp $ */ /* Copyright (c) 2010 The NetBSD Foundation, Inc. * All rights reserved. @@ -35,7 +35,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include -__RCSID("$NetBSD: mech_digestmd5.c,v 1.11 2013/06/28 15:04:35 joerg Exp $"); +__RCSID("$NetBSD: mech_digestmd5.c,v 1.12 2018/01/30 13:11:28 shm Exp $"); #include @@ -2294,7 +2294,7 @@ saslc__mech_digestmd5_cont(saslc_sess_t } *out = saslc__mech_digestmd5_reply(sess, response); free(response); - if (out == NULL) + if (*out == NULL) return MECH_ERROR; *outlen = strlen(*out);
CVS commit: src/crypto/external/bsd/libsaslc/dist/src
Module Name:src Committed By: shm Date: Tue Jan 30 13:11:28 UTC 2018 Modified Files: src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c Log Message: Fixed potential NULL pointer dereference (CID: 978477) To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 \ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/kern
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 11:03:06 UTC 2018 Modified Files: src/sys/kern: subr_workqueue.c Log Message: Check if a queued work is tried to be enqueued again, which is not allowed To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/kern/subr_workqueue.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/kern
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 11:03:06 UTC 2018 Modified Files: src/sys/kern: subr_workqueue.c Log Message: Check if a queued work is tried to be enqueued again, which is not allowed To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/kern/subr_workqueue.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/kern/subr_workqueue.c diff -u src/sys/kern/subr_workqueue.c:1.34 src/sys/kern/subr_workqueue.c:1.35 --- src/sys/kern/subr_workqueue.c:1.34 Thu Dec 28 07:00:52 2017 +++ src/sys/kern/subr_workqueue.c Tue Jan 30 11:03:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: subr_workqueue.c,v 1.34 2017/12/28 07:00:52 ozaki-r Exp $ */ +/* $NetBSD: subr_workqueue.c,v 1.35 2018/01/30 11:03:06 ozaki-r Exp $ */ /*- * Copyright (c)2002, 2005, 2006, 2007 YAMAMOTO Takashi, @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: subr_workqueue.c,v 1.34 2017/12/28 07:00:52 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: subr_workqueue.c,v 1.35 2018/01/30 11:03:06 ozaki-r Exp $"); #include #include @@ -354,6 +354,19 @@ workqueue_destroy(struct workqueue *wq) kmem_free(wq->wq_ptr, workqueue_size(wq->wq_flags)); } +#ifdef DEBUG +static void +workqueue_check_duplication(struct workqueue_queue *q, work_impl_t *wk) +{ + work_impl_t *_wk; + + SIMPLEQ_FOREACH(_wk, >q_queue_pending, wk_entry) { + if (_wk == wk) + panic("%s: tried to enqueue a queued work", __func__); + } +} +#endif + void workqueue_enqueue(struct workqueue *wq, struct work *wk0, struct cpu_info *ci) { @@ -365,6 +378,9 @@ workqueue_enqueue(struct workqueue *wq, mutex_enter(>q_mutex); KASSERT(q->q_waiter == NULL); +#ifdef DEBUG + workqueue_check_duplication(q, wk); +#endif SIMPLEQ_INSERT_TAIL(>q_queue_pending, wk, wk_entry); cv_signal(>q_cv); mutex_exit(>q_mutex);
CVS commit: src/sys/net
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 11:01:04 UTC 2018 Modified Files: src/sys/net: route.c Log Message: Prevent rt_free_global.wk from being enqueued to workqueue doubly To generate a diff of this commit: cvs rdiff -u -r1.205 -r1.206 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 11:01:04 UTC 2018 Modified Files: src/sys/net: route.c Log Message: Prevent rt_free_global.wk from being enqueued to workqueue doubly To generate a diff of this commit: cvs rdiff -u -r1.205 -r1.206 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/route.c diff -u src/sys/net/route.c:1.205 src/sys/net/route.c:1.206 --- src/sys/net/route.c:1.205 Tue Jan 23 07:20:10 2018 +++ src/sys/net/route.c Tue Jan 30 11:01:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: route.c,v 1.205 2018/01/23 07:20:10 ozaki-r Exp $ */ +/* $NetBSD: route.c,v 1.206 2018/01/30 11:01:04 ozaki-r Exp $ */ /*- * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc. @@ -97,7 +97,7 @@ #endif #include -__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.205 2018/01/23 07:20:10 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.206 2018/01/30 11:01:04 ozaki-r Exp $"); #include #ifdef RTFLUSH_DEBUG @@ -256,6 +256,7 @@ static struct { struct work wk; kmutex_t lock; SLIST_HEAD(, rtentry) queue; + bool enqueued; } rt_free_global __cacheline_aligned; /* psref for rtentry */ @@ -459,6 +460,7 @@ rt_init(void) mutex_init(_free_global.lock, MUTEX_DEFAULT, IPL_SOFTNET); SLIST_INIT(_free_global.queue); + rt_free_global.enqueued = false; rt_psref_class = psref_class_create("rtentry", IPL_SOFTNET); @@ -693,6 +695,7 @@ rt_free_work(struct work *wk, void *arg) struct rtentry *rt; mutex_enter(_free_global.lock); + rt_free_global.enqueued = false; if ((rt = SLIST_FIRST(_free_global.queue)) == NULL) { mutex_exit(_free_global.lock); return; @@ -718,8 +721,11 @@ rt_free(struct rtentry *rt) mutex_enter(_free_global.lock); rt_ref(rt); SLIST_INSERT_HEAD(_free_global.queue, rt, rt_free); + if (!rt_free_global.enqueued) { + workqueue_enqueue(rt_free_global.wq, _free_global.wk, NULL); + rt_free_global.enqueued = true; + } mutex_exit(_free_global.lock); - workqueue_enqueue(rt_free_global.wq, _free_global.wk, NULL); } #ifdef NET_MPSAFE
CVS commit: src/sys/net
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 10:40:02 UTC 2018 Modified Files: src/sys/net: if.c Log Message: Destroy ifq_lock at the end of if_detach It still can be used in if_detach. To generate a diff of this commit: cvs rdiff -u -r1.418 -r1.419 src/sys/net/if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if.c diff -u src/sys/net/if.c:1.418 src/sys/net/if.c:1.419 --- src/sys/net/if.c:1.418 Wed Jan 10 01:22:26 2018 +++ src/sys/net/if.c Tue Jan 30 10:40:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if.c,v 1.418 2018/01/10 01:22:26 ozaki-r Exp $ */ +/* $NetBSD: if.c,v 1.419 2018/01/30 10:40:02 ozaki-r Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.418 2018/01/10 01:22:26 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.419 2018/01/30 10:40:02 ozaki-r Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -1337,8 +1337,6 @@ if_detach(struct ifnet *ifp) altq_detach(>if_snd); #endif - mutex_obj_free(ifp->if_snd.ifq_lock); - #if NCARP > 0 /* Remove the interface from any carp group it is a part of. */ if (ifp->if_carp != NULL && ifp->if_type != IFT_CARP) @@ -1501,6 +1499,7 @@ again: mutex_obj_free(ifp->if_ioctl_lock); ifp->if_ioctl_lock = NULL; + mutex_obj_free(ifp->if_snd.ifq_lock); splx(s);
CVS commit: src/sys/net
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 10:40:02 UTC 2018 Modified Files: src/sys/net: if.c Log Message: Destroy ifq_lock at the end of if_detach It still can be used in if_detach. To generate a diff of this commit: cvs rdiff -u -r1.418 -r1.419 src/sys/net/if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/usb
Module Name:src Committed By: msaitoh Date: Tue Jan 30 08:53:39 UTC 2018 Modified Files: src/sys/dev/usb: xhci.c Log Message: Avoid panic while detaching xhci. The xhci driver has both sc_child and sc_child2 but xhci_childdet() only supported sc_child. OK'd by Nick. To generate a diff of this commit: cvs rdiff -u -r1.83 -r1.84 src/sys/dev/usb/xhci.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/usb/xhci.c diff -u src/sys/dev/usb/xhci.c:1.83 src/sys/dev/usb/xhci.c:1.84 --- src/sys/dev/usb/xhci.c:1.83 Wed Dec 20 08:21:11 2017 +++ src/sys/dev/usb/xhci.c Tue Jan 30 08:53:39 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xhci.c,v 1.83 2017/12/20 08:21:11 skrll Exp $ */ +/* $NetBSD: xhci.c,v 1.84 2018/01/30 08:53:39 msaitoh Exp $ */ /* * Copyright (c) 2013 Jonathan A. Kollasch @@ -34,7 +34,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.83 2017/12/20 08:21:11 skrll Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.84 2018/01/30 08:53:39 msaitoh Exp $"); #ifdef _KERNEL_OPT #include "opt_usb.h" @@ -577,8 +577,10 @@ xhci_childdet(device_t self, device_t ch { struct xhci_softc * const sc = device_private(self); - KASSERT(sc->sc_child == child); - if (child == sc->sc_child) + KASSERT((sc->sc_child == child) || (sc->sc_child2 == child)); + if (child == sc->sc_child2) + sc->sc_child2 = NULL; + else if (child == sc->sc_child) sc->sc_child = NULL; }
CVS commit: src/sys/dev/usb
Module Name:src Committed By: msaitoh Date: Tue Jan 30 08:53:39 UTC 2018 Modified Files: src/sys/dev/usb: xhci.c Log Message: Avoid panic while detaching xhci. The xhci driver has both sc_child and sc_child2 but xhci_childdet() only supported sc_child. OK'd by Nick. To generate a diff of this commit: cvs rdiff -u -r1.83 -r1.84 src/sys/dev/usb/xhci.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/pci
Module Name:src Committed By: knakahara Date: Tue Jan 30 08:15:47 UTC 2018 Modified Files: src/sys/dev/pci: if_wm.c Log Message: Make wm(4) watchdog MP-safe. There is almost no influence on performance. wm(4) does not use ifp->if_watchdog now, that is, it does not touch ifp->if_timer. It also uses own callout(wm_tick) as watchdog now. The watchdog uses per-queue counter to check timeout. So, global lock is not required. To generate a diff of this commit: cvs rdiff -u -r1.561 -r1.562 src/sys/dev/pci/if_wm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/dev/pci/if_wm.c diff -u src/sys/dev/pci/if_wm.c:1.561 src/sys/dev/pci/if_wm.c:1.562 --- src/sys/dev/pci/if_wm.c:1.561 Mon Jan 29 04:17:32 2018 +++ src/sys/dev/pci/if_wm.c Tue Jan 30 08:15:47 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_wm.c,v 1.561 2018/01/29 04:17:32 knakahara Exp $ */ +/* $NetBSD: if_wm.c,v 1.562 2018/01/30 08:15:47 knakahara Exp $ */ /* * Copyright (c) 2001, 2002, 2003, 2004 Wasabi Systems, Inc. @@ -83,7 +83,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.561 2018/01/29 04:17:32 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.562 2018/01/30 08:15:47 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -183,6 +183,11 @@ int wm_debug = WM_DEBUG_TX | WM_DEBUG_RX int wm_disable_msi = WM_DISABLE_MSI; int wm_disable_msix = WM_DISABLE_MSIX; +#ifndef WM_WATCHDOG_TIMEOUT +#define WM_WATCHDOG_TIMEOUT 5 +#endif +static int wm_watchdog_timeout = WM_WATCHDOG_TIMEOUT; + /* * Transmit descriptor list size. Due to errata, we can only have * 256 hardware descriptors in the ring on < 82544, but we use 4096 @@ -363,6 +368,9 @@ struct wm_txqueue { bool txq_stopping; + bool txq_watchdog; + time_t txq_lastsent; + uint32_t txq_packets; /* for AIM */ uint32_t txq_bytes; /* for AIM */ #ifdef WM_EVENT_COUNTERS @@ -680,8 +688,8 @@ static int wm_detach(device_t, int); static bool wm_suspend(device_t, const pmf_qual_t *); static bool wm_resume(device_t, const pmf_qual_t *); static void wm_watchdog(struct ifnet *); -static void wm_watchdog_txq(struct ifnet *, struct wm_txqueue *); -static void wm_watchdog_txq_locked(struct ifnet *, struct wm_txqueue *); +static void wm_watchdog_txq(struct ifnet *, struct wm_txqueue *, uint16_t *); +static void wm_watchdog_txq_locked(struct ifnet *, struct wm_txqueue *, uint16_t *); static void wm_tick(void *); static int wm_ifflags_cb(struct ethercom *); static int wm_ioctl(struct ifnet *, u_long, void *); @@ -2683,7 +2691,7 @@ alloc_retry: if (wm_is_using_multiqueue(sc)) ifp->if_transmit = wm_transmit; } - ifp->if_watchdog = wm_watchdog; + /* wm(4) doest not use ifp->if_watchdog, use wm_tick as watchdog. */ ifp->if_init = wm_init; ifp->if_stop = wm_stop; IFQ_SET_MAXLEN(>if_snd, max(WM_IFQUEUELEN, IFQ_MAXLEN)); @@ -2945,37 +2953,47 @@ wm_watchdog(struct ifnet *ifp) { int qid; struct wm_softc *sc = ifp->if_softc; + uint16_t hang_queue = 0; /* Max queue number of wm(4) is 82576's 16. */ for (qid = 0; qid < sc->sc_nqueues; qid++) { struct wm_txqueue *txq = >sc_queue[qid].wmq_txq; - wm_watchdog_txq(ifp, txq); + wm_watchdog_txq(ifp, txq, _queue); } - /* Reset the interface. */ - (void) wm_init(ifp); - /* - * There are still some upper layer processing which call - * ifp->if_start(). e.g. ALTQ or one CPU system + * IF any of queues hanged up, reset the interface. */ - /* Try to get more packets going. */ - ifp->if_start(ifp); + if (hang_queue != 0) { + (void) wm_init(ifp); + + /* + * There are still some upper layer processing which call + * ifp->if_start(). e.g. ALTQ or one CPU system + */ + /* Try to get more packets going. */ + ifp->if_start(ifp); + } } + static void -wm_watchdog_txq(struct ifnet *ifp, struct wm_txqueue *txq) +wm_watchdog_txq(struct ifnet *ifp, struct wm_txqueue *txq, uint16_t *hang) { mutex_enter(txq->txq_lock); - wm_watchdog_txq_locked(ifp, txq); + if (txq->txq_watchdog && + time_uptime - txq->txq_lastsent > wm_watchdog_timeout) { + wm_watchdog_txq_locked(ifp, txq, hang); + } mutex_exit(txq->txq_lock); } static void -wm_watchdog_txq_locked(struct ifnet *ifp, struct wm_txqueue *txq) +wm_watchdog_txq_locked(struct ifnet *ifp, struct wm_txqueue *txq, uint16_t *hang) { struct wm_softc *sc = ifp->if_softc; + struct wm_queue *wmq = container_of(txq, struct wm_queue, wmq_txq); KASSERT(mutex_owned(txq->txq_lock)); @@ -2984,6 +3002,8 @@ wm_watchdog_txq_locked(struct ifnet *ifp * before we report an error. */ wm_txeof(txq, UINT_MAX); + if (txq->txq_watchdog) + *hang |= __BIT(wmq->wmq_id); if (txq->txq_free != WM_NTXDESC(txq)) { #ifdef WM_DEBUG @@ -3044,8 +3064,13 @@ wm_tick(void *arg) WM_CORE_LOCK(sc); - if (sc->sc_core_stopping) - goto out; + if (sc->sc_core_stopping) { + WM_CORE_UNLOCK(sc); +#ifndef WM_MPSAFE + splx(s);
CVS commit: src/sys/dev/pci
Module Name:src Committed By: knakahara Date: Tue Jan 30 08:15:47 UTC 2018 Modified Files: src/sys/dev/pci: if_wm.c Log Message: Make wm(4) watchdog MP-safe. There is almost no influence on performance. wm(4) does not use ifp->if_watchdog now, that is, it does not touch ifp->if_timer. It also uses own callout(wm_tick) as watchdog now. The watchdog uses per-queue counter to check timeout. So, global lock is not required. To generate a diff of this commit: cvs rdiff -u -r1.561 -r1.562 src/sys/dev/pci/if_wm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.