CVS commit: src/sys/net

2018-01-30 Thread matthew green 
Module Name:src
Committed By:   mrg
Date:   Wed Jan 31 07:33:18 UTC 2018

Modified Files:
src/sys/net: if_ipsec.c

Log Message:
apply a little more #ifdef INET/INET6.  fixes !INET6 builds.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/if_ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if_ipsec.c
diff -u src/sys/net/if_ipsec.c:1.2 src/sys/net/if_ipsec.c:1.3
--- src/sys/net/if_ipsec.c:1.2	Mon Jan 15 02:39:53 2018
+++ src/sys/net/if_ipsec.c	Wed Jan 31 07:33:18 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ipsec.c,v 1.2 2018/01/15 02:39:53 knakahara Exp $  */
+/*	$NetBSD: if_ipsec.c,v 1.3 2018/01/31 07:33:18 mrg Exp $  */
 
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.2 2018/01/15 02:39:53 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3 2018/01/31 07:33:18 mrg Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -782,18 +782,30 @@ bad:
 }
 
 struct encap_funcs {
+#ifdef INET
 	int (*ef_inet)(struct ipsec_variant *);
+#endif
+#ifdef INET6
 	int (*ef_inet6)(struct ipsec_variant *);
+#endif
 };
 
 static struct encap_funcs ipsec_encap_attach = {
+#ifdef INET
 	.ef_inet = ipsecif4_attach,
+#endif
+#ifdef INET6
 	.ef_inet6 = _attach,
+#endif
 };
 
 static struct encap_funcs ipsec_encap_detach = {
+#ifdef INET
 	.ef_inet = ipsecif4_detach,
+#endif
+#ifdef INET6
 	.ef_inet6 = _detach,
+#endif
 };
 
 static int

CVS commit: src/sys/net

2018-01-30 Thread matthew green 
Module Name:src
Committed By:   mrg
Date:   Wed Jan 31 07:33:18 UTC 2018

Modified Files:
src/sys/net: if_ipsec.c

Log Message:
apply a little more #ifdef INET/INET6.  fixes !INET6 builds.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/if_ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Re: CVS commit: src/sys/net/npf

2018-01-30 Thread Maxime Villard 

Le 31/01/2018 à 00:18, Mindaugas Rasiukevicius a écrit :

[...]

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.

[...]
If the npc_hlen value is beyond the packet length, NPF's nbuf interface
will catch that, since it performs the bounds check.


I meant to say that the IPv6 loop in npf_cache_ip seems suspicious to me.

while (nbuf_advance(nbuf, hlen, 0) != NULL) {
[...]
hlen = (ip6e->ip6e_len + 1) << 3;
[...]
npc->npc_hlen += hlen;
}
[continue execution...]

Here, if you have a 'hlen' that goes beyond the mbuf, nbuf_advance will fail,
and we're not handling this case. npc_hlen got incremented along the way, and
it now points past the end of the mbuf.

Perhaps that's handled properly later, but in all cases, we ought to handle
the error right here instead of processing the packet any further.

Note however that NPF is rather at the end of my TODO list, and I'll come back
to it later.

Maxime

Re: CVS commit: src/sys/net/npf

2018-01-30 Thread Mindaugas Rasiukevicius 
"Maxime Villard"  wrote:
> Module Name:  src
> Committed By: maxv
> Date: Fri Dec 15 21:00:26 UTC 2017
> 
> Modified Files:
>   src/sys/net/npf: npf.h
> 
> Log Message:
> Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
> bypass a certain number of filtering rules.
> 
> Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
> 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
> has large extensions.

Thanks for discovering and fixing this.  I think this is the first
serious remote vulnerability in NPF, although limited to IPv6 only.

> Fix this by using uint32_t. While here, it seems to me there is also a
> memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
> a value that goes beyond the mbuf.

A minor aspect, but promoting npf_hlen to uint32_t results in wasteful
padding in the struct, so it is better to re-order the struct members
in this case.

If the npc_hlen value is beyond the packet length, NPF's nbuf interface
will catch that, since it performs the bounds check.  However, I think
we should implement some sanity check for the npc_hlen value.  RFC 7112
suggests that the IPv6 header chain should not exceed the MTU size (and
thus fit in the first fragment, in case of fragmentation).  Some value
along these lines could be the basis for a sanity check..

-- 
Mindaugas

CVS commit: src/share/misc

2018-01-30 Thread Brian Ginsbach 
Module Name:src
Committed By:   ginsbach
Date:   Tue Jan 30 22:45:12 UTC 2018

Modified Files:
src/share/misc: acronyms.comp

Log Message:
Add more "* as a service" and "software defined *" acronyms


To generate a diff of this commit:
cvs rdiff -u -r1.189 -r1.190 src/share/misc/acronyms.comp

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/share/misc

2018-01-30 Thread Brian Ginsbach 
Module Name:src
Committed By:   ginsbach
Date:   Tue Jan 30 22:45:12 UTC 2018

Modified Files:
src/share/misc: acronyms.comp

Log Message:
Add more "* as a service" and "software defined *" acronyms


To generate a diff of this commit:
cvs rdiff -u -r1.189 -r1.190 src/share/misc/acronyms.comp

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/share/misc/acronyms.comp
diff -u src/share/misc/acronyms.comp:1.189 src/share/misc/acronyms.comp:1.190
--- src/share/misc/acronyms.comp:1.189	Sun Jan 21 14:01:55 2018
+++ src/share/misc/acronyms.comp	Tue Jan 30 22:45:12 2018
@@ -1,4 +1,4 @@
-$NetBSD: acronyms.comp,v 1.189 2018/01/21 14:01:55 alnsn Exp $
+$NetBSD: acronyms.comp,v 1.190 2018/01/30 22:45:12 ginsbach Exp $
 3WHS	three-way handshake
 8VSB	8-state vestigial side band modulation
 AA	anti-aliasing
@@ -351,6 +351,7 @@ DPI	dots per inch
 DPL	descriptor privilege level
 DPS	Display PostScript
 DPST	display power savings technology
+DRAAS	disaster recovery as a service
 DRAM	dynamic random access memory
 DRBG	deterministic random bit generator
 DRI	direct rendering infrastructure
@@ -560,6 +561,7 @@ HVM	hardware virtual machine
 HZ	Hertz
 I2O	intelligent input/output
 IA	information assurance
+IAAS	infrastructure as a service
 IANA	Internet Assigned Numbers Authority
 IBC	iterated block cipher
 IBM	International Business Machines
@@ -840,6 +842,7 @@ NFA	nondeterministic finite automaton
 NFC	near-field communication
 NFCI	no functional change intended
 NFS	network file system
+NFV	network function virtualization
 NIA	next instruction address
 NIC	network information center
 NIC	network interface card
@@ -913,6 +916,7 @@ P2P	PCI to PCI
 P2P	peer to peer
 PA	phase accumulator
 PA	physical address
+PAAS	platform as a service
 PAC	phase-amplitude converter
 PAE	physical address extension
 PAL	phase alternating line
@@ -1160,7 +1164,9 @@ SDK	software development kit
 SDL	Simple Declarative Language
 SDL	Simple Direct-media Layer 
 SDLC	{software,system,systems} development life cycle
+SDN	software defined networking
 SDRAM	synchronous dynamic random access memory
+SDS	software defined storage
 SDT	syntax-directed translation
 SEGV	segmentation violation
 SEO	search engine optimization

CVS commit: [netbsd-6-0] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:11:24 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-0]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.12.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.12.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.12.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ah_input.c
diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.12.1
--- src/sys/netinet6/ah_input.c:1.59	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ah_input.c	Tue Jan 30 22:11:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ah_input.c,v 1.59.12.1 2018/01/30 22:11:24 martin Exp $	*/
 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.12.1 2018/01/30 22:11:24 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i
 		 * next header field of the previous header.
 		 * This is necessary because AH will be stripped off below.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		ip6 = mtod(m, struct ip6_hdr *);

Index: src/sys/netinet6/esp_input.c
diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.12.1
--- src/sys/netinet6/esp_input.c:1.50	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/esp_input.c	Tue Jan 30 22:11:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: esp_input.c,v 1.50.12.1 2018/01/30 22:11:24 martin Exp $	*/
 /*	$KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.12.1 2018/01/30 22:11:24 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -834,7 +834,8 @@ noreplaycheck:
 		/*
 		 * Set the next header field of the previous header correctly.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		stripsiz = esplen + ivlen;

Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.12.1
--- src/sys/netinet6/ipcomp_input.c:1.38	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ipcomp_input.c	Tue Jan 30 22:11:24 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.38.12.1 2018/01/30 22:11:24 martin Exp $	*/
 /*	$KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.12.1 2018/01/30 22:11:24 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off
 	m->m_flags |= M_DECRYPTED;
 
 	/* update next header field */
-	prvnxtp = ip6_get_prevhdr(m, off);
+	const int prvnxt = ip6_get_prevhdr(m, off);
+	prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 	*prvnxtp = nxt;
 
 	/*

CVS commit: [netbsd-6-0] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:11:24 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-0]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.12.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.12.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.12.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-1] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:10:56 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.14.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.14.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ah_input.c
diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.14.1
--- src/sys/netinet6/ah_input.c:1.59	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ah_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i
 		 * next header field of the previous header.
 		 * This is necessary because AH will be stripped off below.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		ip6 = mtod(m, struct ip6_hdr *);

Index: src/sys/netinet6/esp_input.c
diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.14.1
--- src/sys/netinet6/esp_input.c:1.50	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/esp_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -834,7 +834,8 @@ noreplaycheck:
 		/*
 		 * Set the next header field of the previous header correctly.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		stripsiz = esplen + ivlen;

Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.14.1
--- src/sys/netinet6/ipcomp_input.c:1.38	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ipcomp_input.c	Tue Jan 30 22:10:56 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $	*/
 /*	$KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off
 	m->m_flags |= M_DECRYPTED;
 
 	/* update next header field */
-	prvnxtp = ip6_get_prevhdr(m, off);
+	const int prvnxt = ip6_get_prevhdr(m, off);
+	prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 	*prvnxtp = nxt;
 
 	/*

CVS commit: [netbsd-6-1] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:10:56 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.14.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.14.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:10:20 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 22:10:20 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c

Log Message:
Ooops, remainder of Ticket #1523, accidently not commited previously


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c
cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c
cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ah_input.c
diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.8.1
--- src/sys/netinet6/ah_input.c:1.59	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ah_input.c	Tue Jan 30 22:10:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $	*/
 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.8.1 2018/01/30 22:10:20 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i
 		 * next header field of the previous header.
 		 * This is necessary because AH will be stripped off below.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		ip6 = mtod(m, struct ip6_hdr *);

Index: src/sys/netinet6/esp_input.c
diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.8.1
--- src/sys/netinet6/esp_input.c:1.50	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/esp_input.c	Tue Jan 30 22:10:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $	*/
 /*	$KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.8.1 2018/01/30 22:10:20 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -834,7 +834,8 @@ noreplaycheck:
 		/*
 		 * Set the next header field of the previous header correctly.
 		 */
-		prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
+		const int prvnxt = ip6_get_prevhdr(m, off);
+		prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 		*prvnxtp = nxt;
 
 		stripsiz = esplen + ivlen;

Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.8.1
--- src/sys/netinet6/ipcomp_input.c:1.38	Sun Jul 17 20:54:53 2011
+++ src/sys/netinet6/ipcomp_input.c	Tue Jan 30 22:10:20 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $	*/
 /*	$KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.8.1 2018/01/30 22:10:20 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off
 	m->m_flags |= M_DECRYPTED;
 
 	/* update next header field */
-	prvnxtp = ip6_get_prevhdr(m, off);
+	const int prvnxt = ip6_get_prevhdr(m, off);
+	prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */
 	*prvnxtp = nxt;
 
 	/*

CVS commit: src/sys/dev/ic

2018-01-30 Thread Jonathan A. Kollasch 
Module Name:src
Committed By:   jakllsch
Date:   Tue Jan 30 20:20:38 UTC 2018

Modified Files:
src/sys/dev/ic: mpt_netbsd.c

Log Message:
Move mpt_disc_enable setting into is_scsi block.

The field is only 16 bits, and is only refered to in the is_scsi case.


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/sys/dev/ic/mpt_netbsd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/mpt_netbsd.c
diff -u src/sys/dev/ic/mpt_netbsd.c:1.33 src/sys/dev/ic/mpt_netbsd.c:1.34
--- src/sys/dev/ic/mpt_netbsd.c:1.33	Mon May  2 19:18:29 2016
+++ src/sys/dev/ic/mpt_netbsd.c	Tue Jan 30 20:20:38 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: mpt_netbsd.c,v 1.33 2016/05/02 19:18:29 christos Exp $	*/
+/*	$NetBSD: mpt_netbsd.c,v 1.34 2018/01/30 20:20:38 jakllsch Exp $	*/
 
 /*
  * Copyright (c) 2003 Wasabi Systems, Inc.
@@ -77,7 +77,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: mpt_netbsd.c,v 1.33 2016/05/02 19:18:29 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mpt_netbsd.c,v 1.34 2018/01/30 20:20:38 jakllsch Exp $");
 
 #include "bio.h"
 
@@ -1121,12 +1121,6 @@ mpt_set_xfer_mode(mpt_softc_t *mpt, stru
 {
 	fCONFIG_PAGE_SCSI_DEVICE_1 tmp;
 
-	/*
-	 * Always allow disconnect; we don't have a way to disable
-	 * it right now, in any case.
-	 */
-	mpt->mpt_disc_enable |= (1 << xm->xm_target);
-
 	if (xm->xm_mode & PERIPH_CAP_TQING)
 		mpt->mpt_tag_enable |= (1 << xm->xm_target);
 	else
@@ -1134,6 +1128,12 @@ mpt_set_xfer_mode(mpt_softc_t *mpt, stru
 
 	if (mpt->is_scsi) {
 		/*
+		 * Always allow disconnect; we don't have a way to disable
+		 * it right now, in any case.
+		 */
+		mpt->mpt_disc_enable |= (1 << xm->xm_target);
+
+		/*
 		 * SCSI transport settings only make any sense for
 		 * SCSI
 		 */

CVS commit: src/sys/dev/ic

2018-01-30 Thread Jonathan A. Kollasch 
Module Name:src
Committed By:   jakllsch
Date:   Tue Jan 30 20:20:38 UTC 2018

Modified Files:
src/sys/dev/ic: mpt_netbsd.c

Log Message:
Move mpt_disc_enable setting into is_scsi block.

The field is only 16 bits, and is only refered to in the is_scsi case.


To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/sys/dev/ic/mpt_netbsd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/dev/ic

2018-01-30 Thread Jonathan A. Kollasch 
Module Name:src
Committed By:   jakllsch
Date:   Tue Jan 30 20:15:41 UTC 2018

Modified Files:
src/sys/dev/ic: mpt.c

Log Message:
more-fully initialize mpt_disc_enable


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/sys/dev/ic/mpt.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/dev/ic

2018-01-30 Thread Jonathan A. Kollasch 
Module Name:src
Committed By:   jakllsch
Date:   Tue Jan 30 20:15:41 UTC 2018

Modified Files:
src/sys/dev/ic: mpt.c

Log Message:
more-fully initialize mpt_disc_enable


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/sys/dev/ic/mpt.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/mpt.c
diff -u src/sys/dev/ic/mpt.c:1.17 src/sys/dev/ic/mpt.c:1.18
--- src/sys/dev/ic/mpt.c:1.17	Sat Sep 27 16:14:16 2014
+++ src/sys/dev/ic/mpt.c	Tue Jan 30 20:15:41 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: mpt.c,v 1.17 2014/09/27 16:14:16 jmcneill Exp $	*/
+/*	$NetBSD: mpt.c,v 1.18 2018/01/30 20:15:41 jakllsch Exp $	*/
 
 /*
  * Copyright (c) 2000, 2001 by Greg Ansley
@@ -110,7 +110,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: mpt.c,v 1.17 2014/09/27 16:14:16 jmcneill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mpt.c,v 1.18 2018/01/30 20:15:41 jakllsch Exp $");
 
 #include 
 
@@ -940,7 +940,7 @@ mpt_set_initial_config_spi(mpt_softc_t *
 {
 	int i, pp1val = ((1 << mpt->mpt_ini_id) << 16) | mpt->mpt_ini_id;
 
-	mpt->mpt_disc_enable = 0xff;
+	mpt->mpt_disc_enable = 0x;
 	mpt->mpt_tag_enable = 0;
 
 	if (mpt->mpt_port_page1.Configuration != pp1val) {

CVS commit: src/sys/arch/shark/isa

2018-01-30 Thread Nick Hudson 
Module Name:src
Committed By:   skrll
Date:   Tue Jan 30 19:22:28 UTC 2018

Modified Files:
src/sys/arch/shark/isa: isa_irq.S

Log Message:
whitespace


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/sys/arch/shark/isa/isa_irq.S

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/arch/shark/isa/isa_irq.S
diff -u src/sys/arch/shark/isa/isa_irq.S:1.16 src/sys/arch/shark/isa/isa_irq.S:1.17
--- src/sys/arch/shark/isa/isa_irq.S:1.16	Mon Dec  2 18:36:11 2013
+++ src/sys/arch/shark/isa/isa_irq.S	Tue Jan 30 19:22:28 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: isa_irq.S,v 1.16 2013/12/02 18:36:11 joerg Exp $	*/
+/*	$NetBSD: isa_irq.S,v 1.17 2018/01/30 19:22:28 skrll Exp $	*/
 
 /*
  * Copyright 1997
@@ -134,7 +134,7 @@ ASENTRY_NP(irq_entry)
 	ldr	r0, .Lvam_io_data
 	ldr	r0, [r0]
 	ldrb	r8, [r0, #IO_ICU1]/* ocw3 = irr */
-	
+
 	/* clear the IRR bits that are currently masked. */
 	ldr	r2, .Li8259_mask
 	ldr	r2, [r2]
@@ -197,7 +197,7 @@ ASENTRY_NP(irq_entry)
 	mvn	r2, r2
 	orr	r0, r0, r2
 
-	str	r0, [r1]	
+	str	r0, [r1]
 
 	ldr	r1, [r4, #CI_CPL]
 	str	r9, [r4, #CI_CPL]

CVS commit: src/sys/arch/shark/isa

2018-01-30 Thread Nick Hudson 
Module Name:src
Committed By:   skrll
Date:   Tue Jan 30 19:22:28 UTC 2018

Modified Files:
src/sys/arch/shark/isa: isa_irq.S

Log Message:
whitespace


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/sys/arch/shark/isa/isa_irq.S

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/dev/ic

2018-01-30 Thread Jonathan A. Kollasch 
Module Name:src
Committed By:   jakllsch
Date:   Tue Jan 30 19:13:09 UTC 2018

Modified Files:
src/sys/dev/ic: mpt_netbsd.h

Log Message:
remove unused softc variables


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/dev/ic/mpt_netbsd.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/mpt_netbsd.h
diff -u src/sys/dev/ic/mpt_netbsd.h:1.11 src/sys/dev/ic/mpt_netbsd.h:1.12
--- src/sys/dev/ic/mpt_netbsd.h:1.11	Tue Apr  1 23:57:54 2014
+++ src/sys/dev/ic/mpt_netbsd.h	Tue Jan 30 19:13:08 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: mpt_netbsd.h,v 1.11 2014/04/01 23:57:54 buhrow Exp $	*/
+/*	$NetBSD: mpt_netbsd.h,v 1.12 2018/01/30 19:13:08 jakllsch Exp $	*/
 
 /*
  * Copyright (c) 2003 Wasabi Systems, Inc.
@@ -193,8 +193,6 @@ typedef struct mpt_softc {
 			fCONFIG_PAGE_SCSI_DEVICE_1	_dev_page1[16];
 			uint16_t			_tag_enable;
 			uint16_t			_disc_enable;
-			uint16_t			_update_params0;
-			uint16_t			_update_params1;
 			uint16_t			_report_xfer_mode;
 		} spi;
 #define	mpt_port_page0		cfg.spi._port_page0
@@ -204,8 +202,6 @@ typedef struct mpt_softc {
 #define	mpt_dev_page1		cfg.spi._dev_page1
 #define	mpt_tag_enable		cfg.spi._tag_enable
 #define	mpt_disc_enable		cfg.spi._disc_enable
-#define	mpt_update_params0	cfg.spi._update_params0
-#define	mpt_update_params1	cfg.spi._update_params1
 #define	mpt_report_xfer_mode	cfg.spi._report_xfer_mode
 
 		struct mpt_fc_cfg {

CVS commit: src/sys/dev/ic

2018-01-30 Thread Jonathan A. Kollasch 
Module Name:src
Committed By:   jakllsch
Date:   Tue Jan 30 19:13:09 UTC 2018

Modified Files:
src/sys/dev/ic: mpt_netbsd.h

Log Message:
remove unused softc variables


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/dev/ic/mpt_netbsd.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-0] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:48:17 UTC 2018

Modified Files:
src/doc [netbsd-6-0]: CHANGES-6.0.7

Log Message:
Ticket #1523


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.123 -r1.1.2.124 src/doc/CHANGES-6.0.7

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-0] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:48:17 UTC 2018

Modified Files:
src/doc [netbsd-6-0]: CHANGES-6.0.7

Log Message:
Ticket #1523


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.123 -r1.1.2.124 src/doc/CHANGES-6.0.7

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.0.7
diff -u src/doc/CHANGES-6.0.7:1.1.2.123 src/doc/CHANGES-6.0.7:1.1.2.124
--- src/doc/CHANGES-6.0.7:1.1.2.123	Mon Jan 29 19:31:26 2018
+++ src/doc/CHANGES-6.0.7	Tue Jan 30 18:48:17 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.0.7,v 1.1.2.123 2018/01/29 19:31:26 martin Exp $
+# $NetBSD: CHANGES-6.0.7,v 1.1.2.124 2018/01/30 18:48:17 martin Exp $
 
 A complete list of changes from the NetBSD 6.0.6 release to the NetBSD 6.0.7
 release:
@@ -15287,3 +15287,14 @@ sys/netipsec/xform_ah.c1.76
 	Fix a remote DoS vulnerability in IPsec-AH.
 	[maxv, ticket #1521]
 
+sys/netinet6/frag6.c1.65
+sys/netinet6/ip6_input.c			1.187
+sys/netinet6/ip6_var.h1.78
+sys/netinet6/raw_ip6.c1.160 (via patch)
+sys/netinet6/ah_input.cadjust other callers (patch)
+sys/netinet6/esp_input.c			adjust other callers (patch)
+sys/netinet6/ipcomp_input.c			adjust other callers (patch)
+
+	Fix a memory corruption in ip6_get_prevhdr().
+	[maxv, ticket #1523]
+

CVS commit: [netbsd-6-0] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:47:35 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.1.4.1 -r1.52.2.1.4.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.6.1 -r1.136.6.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.6.1 -r1.58.6.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.6.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.52.2.1.4.1 src/sys/netinet6/frag6.c:1.52.2.1.4.2
--- src/sys/netinet6/frag6.c:1.52.2.1.4.1	Thu Oct 25 17:26:18 2012
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:47:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.52.2.1.4.1 2012/10/25 17:26:18 riz Exp $	*/
+/*	$NetBSD: frag6.c,v 1.52.2.1.4.2 2018/01/30 18:47:35 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.1.4.1 2012/10/25 17:26:18 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.1.4.2 2018/01/30 18:47:35 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -461,6 +453,21 @@ insert:
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.136.6.1 src/sys/netinet6/ip6_input.c:1.136.6.2
--- src/sys/netinet6/ip6_input.c:1.136.6.1	Mon Jul  8 07:40:34 2013
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:47:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.136.6.1 2013/07/08 07:40:34 jdc Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.136.6.2 2018/01/30 18:47:35 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.6.1 2013/07/08 07:40:34 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.6.2 2018/01/30 18:47:35 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
  * currently

CVS commit: [netbsd-6-0] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:47:35 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.1.4.1 -r1.52.2.1.4.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.6.1 -r1.136.6.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.6.1 -r1.58.6.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.6.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-1] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:46:45 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1523


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.120 -r1.1.2.121 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.1.6
diff -u src/doc/CHANGES-6.1.6:1.1.2.120 src/doc/CHANGES-6.1.6:1.1.2.121
--- src/doc/CHANGES-6.1.6:1.1.2.120	Mon Jan 29 19:29:48 2018
+++ src/doc/CHANGES-6.1.6	Tue Jan 30 18:46:45 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.1.6,v 1.1.2.120 2018/01/29 19:29:48 martin Exp $
+# $NetBSD: CHANGES-6.1.6,v 1.1.2.121 2018/01/30 18:46:45 martin Exp $
 
 A complete list of changes from the NetBSD 6.1.5 release to the NetBSD 6.1.6
 release:
@@ -14960,3 +14960,14 @@ sys/netipsec/xform_ah.c1.76
 	Fix a remote DoS vulnerability in IPsec-AH.
 	[maxv, ticket #1521]
 
+sys/netinet6/frag6.c1.65
+sys/netinet6/ip6_input.c			1.187
+sys/netinet6/ip6_var.h1.78
+sys/netinet6/raw_ip6.c1.160 (via patch)
+sys/netinet6/ah_input.cadjust other callers (patch)
+sys/netinet6/esp_input.c			adjust other callers (patch)
+sys/netinet6/ipcomp_input.c			adjust other callers (patch)
+
+	Fix a memory corruption in ip6_get_prevhdr().
+	[maxv, ticket #1523]
+

CVS commit: [netbsd-6-1] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:46:45 UTC 2018

Modified Files:
src/doc [netbsd-6-1]: CHANGES-6.1.6

Log Message:
Ticket #1523


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.120 -r1.1.2.121 src/doc/CHANGES-6.1.6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6-1] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:45:59 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.2 -r1.52.2.2.2.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.8.1 -r1.58.8.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.8.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.2.2.1
--- src/sys/netinet6/frag6.c:1.52.2.2	Thu Oct 25 17:23:33 2012
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:45:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $	*/
+/*	$NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -461,6 +453,21 @@ insert:
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.136.8.1 src/sys/netinet6/ip6_input.c:1.136.8.2
--- src/sys/netinet6/ip6_input.c:1.136.8.1	Mon Jul  8 07:40:56 2013
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:45:59 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
  * currently processed.
- * XXX: This

CVS commit: [netbsd-6-1] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:45:59 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.2 -r1.52.2.2.2.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.8.1 -r1.58.8.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.8.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:45:16 UTC 2018

Modified Files:
src/doc [netbsd-6]: CHANGES-6.2

Log Message:
Ticket #1523


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.316 -r1.1.2.317 src/doc/CHANGES-6.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-6.2
diff -u src/doc/CHANGES-6.2:1.1.2.316 src/doc/CHANGES-6.2:1.1.2.317
--- src/doc/CHANGES-6.2:1.1.2.316	Mon Jan 29 19:27:05 2018
+++ src/doc/CHANGES-6.2	Tue Jan 30 18:45:16 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-6.2,v 1.1.2.316 2018/01/29 19:27:05 martin Exp $
+# $NetBSD: CHANGES-6.2,v 1.1.2.317 2018/01/30 18:45:16 martin Exp $
 
 A complete list of changes from the 6.1 release until the 6.2 release:
 
@@ -21017,3 +21017,15 @@ sys/netipsec/xform_ah.c1.76
 	Fix a remote DoS vulnerability in IPsec-AH.
 	[maxv, ticket #1521]
 
+sys/netinet6/frag6.c1.65
+sys/netinet6/ip6_input.c			1.187
+sys/netinet6/ip6_var.h1.78
+sys/netinet6/raw_ip6.c1.160 (via patch)
+sys/netinet6/ah_input.cadjust other callers (patch)
+sys/netinet6/esp_input.c			adjust other callers (patch)
+sys/netinet6/ipcomp_input.c			adjust other callers (patch)
+
+	Fix a memory corruption in ip6_get_prevhdr().
+	[maxv, ticket #1523]
+
+

CVS commit: [netbsd-6] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:45:16 UTC 2018

Modified Files:
src/doc [netbsd-6]: CHANGES-6.2

Log Message:
Ticket #1523


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.316 -r1.1.2.317 src/doc/CHANGES-6.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-6] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:44:22 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.3
--- src/sys/netinet6/frag6.c:1.52.2.2	Thu Oct 25 17:23:33 2012
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:44:22 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $	*/
+/*	$NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.3 2018/01/30 18:44:22 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -461,6 +453,21 @@ insert:
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.136.2.1 src/sys/netinet6/ip6_input.c:1.136.2.2
--- src/sys/netinet6/ip6_input.c:1.136.2.1	Mon Jul  8 07:40:07 2013
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:44:22 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.2 2018/01/30 18:44:22 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
  * currently processed.
- * XXX: This function supposes that

CVS commit: [netbsd-6] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:44:22 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-0] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:32:34 UTC 2018

Modified Files:
src/doc [netbsd-7-0]: CHANGES-7.0.3

Log Message:
Ticket #1560


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.74 -r1.1.2.75 src/doc/CHANGES-7.0.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.0.3
diff -u src/doc/CHANGES-7.0.3:1.1.2.74 src/doc/CHANGES-7.0.3:1.1.2.75
--- src/doc/CHANGES-7.0.3:1.1.2.74	Mon Jan 29 19:44:06 2018
+++ src/doc/CHANGES-7.0.3	Tue Jan 30 18:32:34 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.0.3,v 1.1.2.74 2018/01/29 19:44:06 martin Exp $
+# $NetBSD: CHANGES-7.0.3,v 1.1.2.75 2018/01/30 18:32:34 martin Exp $
 
 A complete list of changes from the NetBSD 7.0.2 release to the NetBSD 7.0.3
 release:
@@ -5195,3 +5195,11 @@ sys/netipsec/xform_ah.c1.76
 	Fix a remote DoS vulnerability in IPsec-AH.
 	[maxv, ticket #1557]
 
+sys/netinet6/frag6.c1.65
+sys/netinet6/ip6_input.c			1.187
+sys/netinet6/ip6_var.h1.78
+sys/netinet6/raw_ip6.c1.160 (via patch)
+
+	Fix a memory corruption in ip6_get_prevhdr().
+	[maxv, ticket #1560]
+

CVS commit: [netbsd-7-0] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:32:34 UTC 2018

Modified Files:
src/doc [netbsd-7-0]: CHANGES-7.0.3

Log Message:
Ticket #1560


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.74 -r1.1.2.75 src/doc/CHANGES-7.0.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-0] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:31:53 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-7-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1560):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.149.2.1 -r1.149.2.1.2.1 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.62.2.1 -r1.62.2.1.2.1 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.136 -r1.136.6.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-0] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:31:53 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-7-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1560):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.149.2.1 -r1.149.2.1.2.1 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.62.2.1 -r1.62.2.1.2.1 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.136 -r1.136.6.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.55 src/sys/netinet6/frag6.c:1.55.6.1
--- src/sys/netinet6/frag6.c:1.55	Fri Aug 30 07:42:08 2013
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:31:53 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $	*/
+/*	$NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.6.1 2018/01/30 18:31:53 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -456,11 +448,30 @@ insert:
 
 	if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */
 		int plen = 0;
-		for (t = m; t; t = t->m_next)
+		for (t = m; t; t = t->m_next) {
+			/*
+			 * XXX XXX Why don't we remove M_PKTHDR?
+			 */
 			plen += t->m_len;
+		}
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.149.2.1 src/sys/netinet6/ip6_input.c:1.149.2.1.2.1
--- src/sys/netinet6/ip6_input.c:1.149.2.1	Fri Jan 23 09:27:15 2015
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:31:53 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.149.2.1.2.1 2018/01/30 18:31:53 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1.2.1 2018/01/30 18:31:53 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1384,50 +1384,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header

CVS commit: [netbsd-7-1] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:31:12 UTC 2018

Modified Files:
src/doc [netbsd-7-1]: CHANGES-7.1.2

Log Message:
Ticket #1560


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.1.2
diff -u src/doc/CHANGES-7.1.2:1.1.2.4 src/doc/CHANGES-7.1.2:1.1.2.5
--- src/doc/CHANGES-7.1.2:1.1.2.4	Mon Jan 29 19:42:47 2018
+++ src/doc/CHANGES-7.1.2	Tue Jan 30 18:31:12 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.1.2,v 1.1.2.4 2018/01/29 19:42:47 martin Exp $
+# $NetBSD: CHANGES-7.1.2,v 1.1.2.5 2018/01/30 18:31:12 martin Exp $
 
 A complete list of changes from the NetBSD 7.1.1 release to the NetBSD 7.1.2
 release:
@@ -83,3 +83,11 @@ sys/netipsec/xform_ah.c1.76
 	Fix a remote DoS vulnerability in IPsec-AH.
 	[maxv, ticket #1557]
 
+sys/netinet6/frag6.c1.65
+sys/netinet6/ip6_input.c			1.187
+sys/netinet6/ip6_var.h1.78
+sys/netinet6/raw_ip6.c1.160 (via patch)
+
+	Fix a memory corruption in ip6_get_prevhdr().
+	[maxv, ticket #1560]
+

CVS commit: [netbsd-7-1] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:31:12 UTC 2018

Modified Files:
src/doc [netbsd-7-1]: CHANGES-7.1.2

Log Message:
Ticket #1560


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-1] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:30:31 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-7-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1560):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.10.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.149.2.1 -r1.149.2.1.6.1 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.62.2.1 -r1.62.2.1.6.1 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.136.2.1 -r1.136.2.1.2.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7-1] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:30:31 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-7-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1560):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.10.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.149.2.1 -r1.149.2.1.6.1 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.62.2.1 -r1.62.2.1.6.1 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.136.2.1 -r1.136.2.1.2.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.55 src/sys/netinet6/frag6.c:1.55.10.1
--- src/sys/netinet6/frag6.c:1.55	Fri Aug 30 07:42:08 2013
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:30:31 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $	*/
+/*	$NetBSD: frag6.c,v 1.55.10.1 2018/01/30 18:30:31 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.10.1 2018/01/30 18:30:31 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -456,11 +448,30 @@ insert:
 
 	if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */
 		int plen = 0;
-		for (t = m; t; t = t->m_next)
+		for (t = m; t; t = t->m_next) {
+			/*
+			 * XXX XXX Why don't we remove M_PKTHDR?
+			 */
 			plen += t->m_len;
+		}
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.149.2.1 src/sys/netinet6/ip6_input.c:1.149.2.1.6.1
--- src/sys/netinet6/ip6_input.c:1.149.2.1	Fri Jan 23 09:27:15 2015
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:30:31 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.149.2.1.6.1 2018/01/30 18:30:31 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1.6.1 2018/01/30 18:30:31 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1384,50 +1384,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by

CVS commit: [netbsd-7] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:29:25 UTC 2018

Modified Files:
src/doc [netbsd-7]: CHANGES-7.2

Log Message:
Ticket #1560


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.60 -r1.1.2.61 src/doc/CHANGES-7.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:29:25 UTC 2018

Modified Files:
src/doc [netbsd-7]: CHANGES-7.2

Log Message:
Ticket #1560


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.60 -r1.1.2.61 src/doc/CHANGES-7.2

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-7.2
diff -u src/doc/CHANGES-7.2:1.1.2.60 src/doc/CHANGES-7.2:1.1.2.61
--- src/doc/CHANGES-7.2:1.1.2.60	Mon Jan 29 19:40:17 2018
+++ src/doc/CHANGES-7.2	Tue Jan 30 18:29:25 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-7.2,v 1.1.2.60 2018/01/29 19:40:17 martin Exp $
+# $NetBSD: CHANGES-7.2,v 1.1.2.61 2018/01/30 18:29:25 martin Exp $
 
 A complete list of changes from the NetBSD 7.1 release to the NetBSD 7.2
 release:
@@ -5066,3 +5066,11 @@ sys/netipsec/xform_ah.c1.76
 	Fix a remote DoS vulnerability in IPsec-AH.
 	[maxv, ticket #1557]
 
+sys/netinet6/frag6.c1.65
+sys/netinet6/ip6_input.c			1.187
+sys/netinet6/ip6_var.h1.78
+sys/netinet6/raw_ip6.c1.160 (via patch)
+
+	Fix a memory corruption in ip6_get_prevhdr().
+	[maxv, ticket #1560]
+

CVS commit: [netbsd-7] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:28:46 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-7]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1560):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.4.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.149.2.1 -r1.149.2.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.62.2.1 -r1.62.2.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-7] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:28:46 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-7]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1560):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.55.4.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.149.2.1 -r1.149.2.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.62.2.1 -r1.62.2.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.55 src/sys/netinet6/frag6.c:1.55.4.1
--- src/sys/netinet6/frag6.c:1.55	Fri Aug 30 07:42:08 2013
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:28:45 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $	*/
+/*	$NetBSD: frag6.c,v 1.55.4.1 2018/01/30 18:28:45 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55 2013/08/30 07:42:08 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.55.4.1 2018/01/30 18:28:45 martin Exp $");
 
 #include 
 #include 
@@ -441,14 +441,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -456,11 +448,30 @@ insert:
 
 	if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */
 		int plen = 0;
-		for (t = m; t; t = t->m_next)
+		for (t = m; t; t = t->m_next) {
+			/*
+			 * XXX XXX Why don't we remove M_PKTHDR?
+			 */
 			plen += t->m_len;
+		}
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.149.2.1 src/sys/netinet6/ip6_input.c:1.149.2.2
--- src/sys/netinet6/ip6_input.c:1.149.2.1	Fri Jan 23 09:27:15 2015
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:28:45 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.149.2.2 2018/01/30 18:28:45 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.1 2015/01/23 09:27:15 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.149.2.2 2018/01/30 18:28:45 martin Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1384,50 +1384,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
  * currently

CVS commit: [netbsd-8] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:22:29 UTC 2018

Modified Files:
src/doc [netbsd-8]: CHANGES-8.0

Log Message:
Ticket #527


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.107 -r1.1.2.108 src/doc/CHANGES-8.0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/doc/CHANGES-8.0
diff -u src/doc/CHANGES-8.0:1.1.2.107 src/doc/CHANGES-8.0:1.1.2.108
--- src/doc/CHANGES-8.0:1.1.2.107	Fri Jan 26 19:53:10 2018
+++ src/doc/CHANGES-8.0	Tue Jan 30 18:22:29 2018
@@ -1,4 +1,4 @@
-# $NetBSD: CHANGES-8.0,v 1.1.2.107 2018/01/26 19:53:10 martin Exp $
+# $NetBSD: CHANGES-8.0,v 1.1.2.108 2018/01/30 18:22:29 martin Exp $
 
 A complete list of changes from the initial NetBSD 8.0 branch on 2017-06-04
 until the 8.0 release:
@@ -9264,3 +9264,11 @@ sys/netipsec/xform_ah.c1.75-1.76
 	to remotely crash the kernel with a single packet.
 	[maxv, ticket #512]
 
+sys/netinet6/frag6.c1.65
+sys/netinet6/ip6_input.c			1.187
+sys/netinet6/ip6_var.h1.78
+sys/netinet6/raw_ip6.c1.160
+
+	Fix a memory corruption in ip6_get_prevhdr().
+	[maxv, ticket #527]
+

CVS commit: [netbsd-8] src/doc

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:22:29 UTC 2018

Modified Files:
src/doc [netbsd-8]: CHANGES-8.0

Log Message:
Ticket #527


To generate a diff of this commit:
cvs rdiff -u -r1.1.2.107 -r1.1.2.108 src/doc/CHANGES-8.0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: [netbsd-8] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:21:10 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-8]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #527):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.60.6.1 -r1.60.6.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.178.2.3 -r1.178.2.4 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.74 -r1.74.6.1 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.157.2.1 -r1.157.2.2 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.60.6.1 src/sys/netinet6/frag6.c:1.60.6.2
--- src/sys/netinet6/frag6.c:1.60.6.1	Tue Jan  2 10:20:34 2018
+++ src/sys/netinet6/frag6.c	Tue Jan 30 18:21:09 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.60.6.1 2018/01/02 10:20:34 snj Exp $	*/
+/*	$NetBSD: frag6.c,v 1.60.6.2 2018/01/30 18:21:09 martin Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.1 2018/01/02 10:20:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.2 2018/01/30 18:21:09 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
@@ -442,14 +442,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -457,11 +449,30 @@ insert:
 
 	if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */
 		int plen = 0;
-		for (t = m; t; t = t->m_next)
+		for (t = m; t; t = t->m_next) {
+			/*
+			 * XXX XXX Why don't we remove M_PKTHDR?
+			 */
 			plen += t->m_len;
+		}
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 	rtcache_unref(rt, );

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.178.2.3 src/sys/netinet6/ip6_input.c:1.178.2.4
--- src/sys/netinet6/ip6_input.c:1.178.2.3	Tue Jan  2 10:20:34 2018
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 18:21:09 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.178.2.3 2018/01/02 10:20:34 snj Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.178.2.4 2018/01/30 18:21:09 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.3 2018/01/02 10:20:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.4 2018/01/30 18:21:09 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -1405,50 +1405,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header

CVS commit: [netbsd-8] src/sys/netinet6

2018-01-30 Thread Martin Husemann 
Module Name:src
Committed By:   martin
Date:   Tue Jan 30 18:21:10 UTC 2018

Modified Files:
src/sys/netinet6 [netbsd-8]: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #527):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.60.6.1 -r1.60.6.2 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.178.2.3 -r1.178.2.4 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.74 -r1.74.6.1 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.157.2.1 -r1.157.2.2 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netinet6

2018-01-30 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Tue Jan 30 15:54:03 UTC 2018

Modified Files:
src/sys/netinet6: in6.h ip6_input.c ip6_var.h

Log Message:
Style, localify, remove dead code, and fix typos. No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.88 -r1.89 src/sys/netinet6/in6.h
cvs rdiff -u -r1.188 -r1.189 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.78 -r1.79 src/sys/netinet6/ip6_var.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netinet6

2018-01-30 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Tue Jan 30 15:54:03 UTC 2018

Modified Files:
src/sys/netinet6: in6.h ip6_input.c ip6_var.h

Log Message:
Style, localify, remove dead code, and fix typos. No functional change.


To generate a diff of this commit:
cvs rdiff -u -r1.88 -r1.89 src/sys/netinet6/in6.h
cvs rdiff -u -r1.188 -r1.189 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.78 -r1.79 src/sys/netinet6/ip6_var.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/in6.h
diff -u src/sys/netinet6/in6.h:1.88 src/sys/netinet6/in6.h:1.89
--- src/sys/netinet6/in6.h:1.88	Wed Jan 10 10:56:30 2018
+++ src/sys/netinet6/in6.h	Tue Jan 30 15:54:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: in6.h,v 1.88 2018/01/10 10:56:30 knakahara Exp $	*/
+/*	$NetBSD: in6.h,v 1.89 2018/01/30 15:54:02 maxv Exp $	*/
 /*	$KAME: in6.h,v 1.83 2001/03/29 02:55:07 jinmei Exp $	*/
 
 /*
@@ -555,7 +555,7 @@ struct ip6_mtuinfo {
 #define IPV6CTL_MRTPROTO	8	/* multicast routing protocol */
 #define IPV6CTL_MAXFRAGPACKETS	9	/* max packets reassembly queue */
 #define IPV6CTL_SOURCECHECK	10	/* verify source route and intf */
-#define IPV6CTL_SOURCECHECK_LOGINT 11	/* minimume logging interval */
+#define IPV6CTL_SOURCECHECK_LOGINT 11	/* minimum logging interval */
 #define IPV6CTL_ACCEPT_RTADV	12
 #define IPV6CTL_KEEPFAITH	13
 #define IPV6CTL_LOG_INTERVAL	14

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.188 src/sys/netinet6/ip6_input.c:1.189
--- src/sys/netinet6/ip6_input.c:1.188	Tue Jan 30 15:35:31 2018
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 15:54:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.188 2018/01/30 15:35:31 maxv Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.189 2018/01/30 15:54:02 maxv Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.188 2018/01/30 15:35:31 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.189 2018/01/30 15:54:02 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -141,7 +141,7 @@ static void ip6intr(void *);
 static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *);
 
 static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *,
-	u_int32_t *);
+u_int32_t *);
 static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
 static void sysctl_net_inet6_ip6_setup(struct sysctllog **);
 
@@ -855,14 +855,14 @@ ip6_hopopts_input(u_int32_t *plenp, u_in
 
 	/* validation of the length of the header */
 	IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m,
-		sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
+	sizeof(struct ip6_hdr), sizeof(struct ip6_hbh));
 	if (hbh == NULL) {
 		IP6_STATINC(IP6_STAT_TOOSHORT);
 		return -1;
 	}
 	hbhlen = (hbh->ip6h_len + 1) << 3;
 	IP6_EXTHDR_GET(hbh, struct ip6_hbh *, m, sizeof(struct ip6_hdr),
-		hbhlen);
+	hbhlen);
 	if (hbh == NULL) {
 		IP6_STATINC(IP6_STAT_TOOSHORT);
 		return -1;
@@ -872,12 +872,12 @@ ip6_hopopts_input(u_int32_t *plenp, u_in
 	hbhlen -= sizeof(struct ip6_hbh);
 
 	if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh),
-hbhlen, rtalertp, plenp) < 0)
-		return (-1);
+	hbhlen, rtalertp, plenp) < 0)
+		return -1;
 
 	*offp = off;
 	*mp = m;
-	return (0);
+	return 0;
 }
 
 /*
@@ -1402,7 +1402,7 @@ ip6_get_prevhdr(struct mbuf *m, int off)
 /*
  * get next header offset.  m will be retained.
  */
-int
+static int
 ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp)
 {
 	struct ip6_hdr ip6;
@@ -1411,7 +1411,7 @@ ip6_nexthdr(struct mbuf *m, int off, int
 
 	/* just in case */
 	if (m == NULL)
-		panic("ip6_nexthdr: m == NULL");
+		panic("%s: m == NULL", __func__);
 	if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len < off)
 		return -1;
 
@@ -1566,11 +1566,6 @@ sysctl_net_inet6_ip6_stats(SYSCTLFN_ARGS
 static void
 sysctl_net_inet6_ip6_setup(struct sysctllog **clog)
 {
-#ifdef RFC2292
-#define IS2292(x, y)	((in6p->in6p_flags & IN6P_RFC2292) ? (x) : (y))
-#else
-#define IS2292(x, y)	(y)
-#endif
 
 	sysctl_createv(clog, 0, NULL, NULL,
 		   CTLFLAG_PERMANENT,
@@ -1614,26 +1609,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl
 		   CTL_NET, PF_INET6, IPPROTO_IPV6,
 		   IPV6CTL_DEFMTU, CTL_EOL);
 #endif
-#ifdef __no_idea__
-	sysctl_createv(clog, 0, NULL, NULL,
-		   CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		   CTLTYPE_INT, "forwsrcrt", NULL,
-		   NULL, 0, &?, 0,
-		   CTL_NET, PF_INET6, IPPROTO_IPV6,
-		   IPV6CTL_FORWSRCRT, CTL_EOL);
-	sysctl_createv(clog, 0, NULL, NULL,
-		   CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		   CTLTYPE_STRUCT, "mrtstats", NULL,
-		   NULL, 0, &?, sizeof(?),
-		   CTL_NET, PF_INET6, IPPROTO_IPV6,
-		   IPV6CTL_MRTSTATS, CTL_EOL);
-	sysctl_createv(clog, 0, NULL, NULL,
-		   CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		   CTLTYPE_?, "mrtproto", NULL,
-

CVS commit: src/sys/netinet6

2018-01-30 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Tue Jan 30 15:35:31 UTC 2018

Modified Files:
src/sys/netinet6: ip6_input.c

Log Message:
Kick nested fragments.


To generate a diff of this commit:
cvs rdiff -u -r1.187 -r1.188 src/sys/netinet6/ip6_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netinet6

2018-01-30 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Tue Jan 30 15:35:31 UTC 2018

Modified Files:
src/sys/netinet6: ip6_input.c

Log Message:
Kick nested fragments.


To generate a diff of this commit:
cvs rdiff -u -r1.187 -r1.188 src/sys/netinet6/ip6_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.187 src/sys/netinet6/ip6_input.c:1.188
--- src/sys/netinet6/ip6_input.c:1.187	Tue Jan 30 14:49:25 2018
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 15:35:31 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.187 2018/01/30 14:49:25 maxv Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.188 2018/01/30 15:35:31 maxv Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.187 2018/01/30 14:49:25 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.188 2018/01/30 15:35:31 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -248,7 +248,7 @@ ip6_input(struct mbuf *m, struct ifnet *
 	int hit, off = sizeof(struct ip6_hdr), nest;
 	u_int32_t plen;
 	u_int32_t rtalert = ~0;
-	int nxt, ours = 0, rh_present = 0;
+	int nxt, ours = 0, rh_present = 0, frg_present;
 	struct ifnet *deliverifp = NULL;
 	int srcrt = 0;
 	struct rtentry *rt = NULL;
@@ -741,6 +741,7 @@ hbhcheck:
 	percpu_putref(ip6_forward_rt_percpu);
 
 	rh_present = 0;
+	frg_present = 0;
 	while (nxt != IPPROTO_DONE) {
 		if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
 			IP6_STATINC(IP6_STAT_TOOMANYHDR);
@@ -764,6 +765,12 @@ hbhcheck:
 IP6_STATINC(IP6_STAT_BADOPTIONS);
 goto bad;
 			}
+		} else if (nxt == IPPROTO_FRAGMENT) {
+			if (frg_present++) {
+in6_ifstat_inc(rcvif, ifs6_in_hdrerr);
+IP6_STATINC(IP6_STAT_BADOPTIONS);
+goto bad;
+			}
 		}
 
 #ifdef IPSEC

CVS commit: src/crypto/external/bsd/libsaslc/dist/src

2018-01-30 Thread Mateusz Kocielski 
Module Name:src
Committed By:   shm
Date:   Tue Jan 30 15:28:39 UTC 2018

Modified Files:
src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c

Log Message:
Fixed memory leak (CID: 977744)


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c
diff -u src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.12 src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.13
--- src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.12	Tue Jan 30 13:11:28 2018
+++ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c	Tue Jan 30 15:28:39 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: mech_digestmd5.c,v 1.12 2018/01/30 13:11:28 shm Exp $ */
+/* $NetBSD: mech_digestmd5.c,v 1.13 2018/01/30 15:28:39 shm Exp $ */
 
 /* Copyright (c) 2010 The NetBSD Foundation, Inc.
  * All rights reserved.
@@ -35,7 +35,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include 
-__RCSID("$NetBSD: mech_digestmd5.c,v 1.12 2018/01/30 13:11:28 shm Exp $");
+__RCSID("$NetBSD: mech_digestmd5.c,v 1.13 2018/01/30 15:28:39 shm Exp $");
 
 #include 
 
@@ -860,7 +860,7 @@ choose_realm(saslc_sess_t *sess, const c
 {
 	const char *user_realms;
 	list_t *l;
-	char *p;
+	char *p = NULL;
 
 	/*/
 	/* The realm containing the user's account. This directive is	 */
@@ -926,6 +926,7 @@ choose_realm(saslc_sess_t *sess, const c
 			return p;
 	}
  use_1st_realm:
+	free(p);
 	if ((p = strdup(realms->value)) == NULL)
 		goto nomem;
 	return p;

CVS commit: src/crypto/external/bsd/libsaslc/dist/src

2018-01-30 Thread Mateusz Kocielski 
Module Name:src
Committed By:   shm
Date:   Tue Jan 30 15:28:39 UTC 2018

Modified Files:
src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c

Log Message:
Fixed memory leak (CID: 977744)


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/netinet6

2018-01-30 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Tue Jan 30 14:49:25 UTC 2018

Modified Files:
src/sys/netinet6: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Fix a buffer overflow in ip6_get_prevhdr. Doing

mtod(m, char *) + len

is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.

The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.

But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.

However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.

As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.

Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.

Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.

This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.186 -r1.187 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.77 -r1.78 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.159 -r1.160 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.64 src/sys/netinet6/frag6.c:1.65
--- src/sys/netinet6/frag6.c:1.64	Thu Jan 25 20:55:15 2018
+++ src/sys/netinet6/frag6.c	Tue Jan 30 14:49:25 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.64 2018/01/25 20:55:15 maxv Exp $	*/
+/*	$NetBSD: frag6.c,v 1.65 2018/01/30 14:49:25 maxv Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.64 2018/01/25 20:55:15 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.65 2018/01/30 14:49:25 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
@@ -467,14 +467,6 @@ insert:
 		m_cat(m, t);
 	}
 
-	/*
-	 * Store NXT to the original.
-	 */
-	{
-		u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
-		*prvnxtp = nxt;
-	}
-
 	frag6_remque(q6);
 	frag6_nfrags -= q6->ip6q_nfrag;
 	kmem_intr_free(q6, sizeof(struct ip6q));
@@ -482,11 +474,30 @@ insert:
 
 	if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */
 		int plen = 0;
-		for (t = m; t; t = t->m_next)
+		for (t = m; t; t = t->m_next) {
+			/*
+			 * XXX XXX Why don't we remove M_PKTHDR?
+			 */
 			plen += t->m_len;
+		}
 		m->m_pkthdr.len = plen;
 	}
 
+	/*
+	 * Restore NXT to the original.
+	 */
+	{
+		const int prvnxt = ip6_get_prevhdr(m, offset);
+		uint8_t *prvnxtp;
+
+		IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+		sizeof(*prvnxtp));
+		if (prvnxtp == NULL) {
+			goto dropfrag;
+		}
+		*prvnxtp = nxt;
+	}
+
 	IP6_STATINC(IP6_STAT_REASSEMBLED);
 	in6_ifstat_inc(dstifp, ifs6_reass_ok);
 	rtcache_unref(rt, );

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.186 src/sys/netinet6/ip6_input.c:1.187
--- src/sys/netinet6/ip6_input.c:1.186	Mon Jan 29 10:57:13 2018
+++ src/sys/netinet6/ip6_input.c	Tue Jan 30 14:49:25 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.186 2018/01/29 10:57:13 maxv Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.187 2018/01/30 14:49:25 maxv Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.186 2018/01/29 10:57:13 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.187 2018/01/30 14:49:25 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -1351,50 +1351,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 }
 
 /*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
  * currently processed.
- * XXX: This function supposes that
- *	M includes all headers,
- *	the next header field and the header length field of each header
- *	are valid, and
- *	the sum of each header length equals to OFF.
- * Because of these assumptions, this function must be called very
- * carefully. Moreover, it

CVS commit: src/sys/netinet6

2018-01-30 Thread Maxime Villard 
Module Name:src
Committed By:   maxv
Date:   Tue Jan 30 14:49:25 UTC 2018

Modified Files:
src/sys/netinet6: frag6.c ip6_input.c ip6_var.h raw_ip6.c

Log Message:
Fix a buffer overflow in ip6_get_prevhdr. Doing

mtod(m, char *) + len

is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.

The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.

But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.

However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.

As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.

Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.

Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.

This place is still fragile.


To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.186 -r1.187 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.77 -r1.78 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.159 -r1.160 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/crypto/external/bsd/libsaslc/dist/src

2018-01-30 Thread Mateusz Kocielski 
Module Name:src
Committed By:   shm
Date:   Tue Jan 30 13:11:28 UTC 2018

Modified Files:
src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c

Log Message:
Fixed potential NULL pointer dereference (CID: 978477)


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 \
src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c
diff -u src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.11 src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.12
--- src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c:1.11	Fri Jun 28 15:04:35 2013
+++ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c	Tue Jan 30 13:11:28 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: mech_digestmd5.c,v 1.11 2013/06/28 15:04:35 joerg Exp $ */
+/* $NetBSD: mech_digestmd5.c,v 1.12 2018/01/30 13:11:28 shm Exp $ */
 
 /* Copyright (c) 2010 The NetBSD Foundation, Inc.
  * All rights reserved.
@@ -35,7 +35,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include 
-__RCSID("$NetBSD: mech_digestmd5.c,v 1.11 2013/06/28 15:04:35 joerg Exp $");
+__RCSID("$NetBSD: mech_digestmd5.c,v 1.12 2018/01/30 13:11:28 shm Exp $");
 
 #include 
 
@@ -2294,7 +2294,7 @@ saslc__mech_digestmd5_cont(saslc_sess_t 
 		}
 		*out = saslc__mech_digestmd5_reply(sess, response);
 		free(response);
-		if (out == NULL)
+		if (*out == NULL)
 			return MECH_ERROR;
 
 		*outlen = strlen(*out);

CVS commit: src/crypto/external/bsd/libsaslc/dist/src

2018-01-30 Thread Mateusz Kocielski 
Module Name:src
Committed By:   shm
Date:   Tue Jan 30 13:11:28 UTC 2018

Modified Files:
src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c

Log Message:
Fixed potential NULL pointer dereference (CID: 978477)


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 \
src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/kern

2018-01-30 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Tue Jan 30 11:03:06 UTC 2018

Modified Files:
src/sys/kern: subr_workqueue.c

Log Message:
Check if a queued work is tried to be enqueued again, which is not allowed


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/sys/kern/subr_workqueue.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/kern

2018-01-30 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Tue Jan 30 11:03:06 UTC 2018

Modified Files:
src/sys/kern: subr_workqueue.c

Log Message:
Check if a queued work is tried to be enqueued again, which is not allowed


To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/sys/kern/subr_workqueue.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/kern/subr_workqueue.c
diff -u src/sys/kern/subr_workqueue.c:1.34 src/sys/kern/subr_workqueue.c:1.35
--- src/sys/kern/subr_workqueue.c:1.34	Thu Dec 28 07:00:52 2017
+++ src/sys/kern/subr_workqueue.c	Tue Jan 30 11:03:06 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_workqueue.c,v 1.34 2017/12/28 07:00:52 ozaki-r Exp $	*/
+/*	$NetBSD: subr_workqueue.c,v 1.35 2018/01/30 11:03:06 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c)2002, 2005, 2006, 2007 YAMAMOTO Takashi,
@@ -27,7 +27,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: subr_workqueue.c,v 1.34 2017/12/28 07:00:52 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_workqueue.c,v 1.35 2018/01/30 11:03:06 ozaki-r Exp $");
 
 #include 
 #include 
@@ -354,6 +354,19 @@ workqueue_destroy(struct workqueue *wq)
 	kmem_free(wq->wq_ptr, workqueue_size(wq->wq_flags));
 }
 
+#ifdef DEBUG
+static void
+workqueue_check_duplication(struct workqueue_queue *q, work_impl_t *wk)
+{
+	work_impl_t *_wk;
+
+	SIMPLEQ_FOREACH(_wk, >q_queue_pending, wk_entry) {
+		if (_wk == wk)
+			panic("%s: tried to enqueue a queued work", __func__);
+	}
+}
+#endif
+
 void
 workqueue_enqueue(struct workqueue *wq, struct work *wk0, struct cpu_info *ci)
 {
@@ -365,6 +378,9 @@ workqueue_enqueue(struct workqueue *wq, 
 
 	mutex_enter(>q_mutex);
 	KASSERT(q->q_waiter == NULL);
+#ifdef DEBUG
+	workqueue_check_duplication(q, wk);
+#endif
 	SIMPLEQ_INSERT_TAIL(>q_queue_pending, wk, wk_entry);
 	cv_signal(>q_cv);
 	mutex_exit(>q_mutex);

CVS commit: src/sys/net

2018-01-30 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Tue Jan 30 11:01:04 UTC 2018

Modified Files:
src/sys/net: route.c

Log Message:
Prevent rt_free_global.wk from being enqueued to workqueue doubly


To generate a diff of this commit:
cvs rdiff -u -r1.205 -r1.206 src/sys/net/route.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/net

2018-01-30 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Tue Jan 30 11:01:04 UTC 2018

Modified Files:
src/sys/net: route.c

Log Message:
Prevent rt_free_global.wk from being enqueued to workqueue doubly


To generate a diff of this commit:
cvs rdiff -u -r1.205 -r1.206 src/sys/net/route.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/route.c
diff -u src/sys/net/route.c:1.205 src/sys/net/route.c:1.206
--- src/sys/net/route.c:1.205	Tue Jan 23 07:20:10 2018
+++ src/sys/net/route.c	Tue Jan 30 11:01:04 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: route.c,v 1.205 2018/01/23 07:20:10 ozaki-r Exp $	*/
+/*	$NetBSD: route.c,v 1.206 2018/01/30 11:01:04 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
 #endif
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.205 2018/01/23 07:20:10 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.206 2018/01/30 11:01:04 ozaki-r Exp $");
 
 #include 
 #ifdef RTFLUSH_DEBUG
@@ -256,6 +256,7 @@ static struct {
 	struct work		wk;
 	kmutex_t		lock;
 	SLIST_HEAD(, rtentry)	queue;
+	bool			enqueued;
 } rt_free_global __cacheline_aligned;
 
 /* psref for rtentry */
@@ -459,6 +460,7 @@ rt_init(void)
 
 	mutex_init(_free_global.lock, MUTEX_DEFAULT, IPL_SOFTNET);
 	SLIST_INIT(_free_global.queue);
+	rt_free_global.enqueued = false;
 
 	rt_psref_class = psref_class_create("rtentry", IPL_SOFTNET);
 
@@ -693,6 +695,7 @@ rt_free_work(struct work *wk, void *arg)
 		struct rtentry *rt;
 
 		mutex_enter(_free_global.lock);
+		rt_free_global.enqueued = false;
 		if ((rt = SLIST_FIRST(_free_global.queue)) == NULL) {
 			mutex_exit(_free_global.lock);
 			return;
@@ -718,8 +721,11 @@ rt_free(struct rtentry *rt)
 	mutex_enter(_free_global.lock);
 	rt_ref(rt);
 	SLIST_INSERT_HEAD(_free_global.queue, rt, rt_free);
+	if (!rt_free_global.enqueued) {
+		workqueue_enqueue(rt_free_global.wq, _free_global.wk, NULL);
+		rt_free_global.enqueued = true;
+	}
 	mutex_exit(_free_global.lock);
-	workqueue_enqueue(rt_free_global.wq, _free_global.wk, NULL);
 }
 
 #ifdef NET_MPSAFE

CVS commit: src/sys/net

2018-01-30 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Tue Jan 30 10:40:02 UTC 2018

Modified Files:
src/sys/net: if.c

Log Message:
Destroy ifq_lock at the end of if_detach

It still can be used in if_detach.


To generate a diff of this commit:
cvs rdiff -u -r1.418 -r1.419 src/sys/net/if.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/if.c
diff -u src/sys/net/if.c:1.418 src/sys/net/if.c:1.419
--- src/sys/net/if.c:1.418	Wed Jan 10 01:22:26 2018
+++ src/sys/net/if.c	Tue Jan 30 10:40:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: if.c,v 1.418 2018/01/10 01:22:26 ozaki-r Exp $	*/
+/*	$NetBSD: if.c,v 1.419 2018/01/30 10:40:02 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.418 2018/01/10 01:22:26 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.419 2018/01/30 10:40:02 ozaki-r Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -1337,8 +1337,6 @@ if_detach(struct ifnet *ifp)
 		altq_detach(>if_snd);
 #endif
 
-	mutex_obj_free(ifp->if_snd.ifq_lock);
-
 #if NCARP > 0
 	/* Remove the interface from any carp group it is a part of.  */
 	if (ifp->if_carp != NULL && ifp->if_type != IFT_CARP)
@@ -1501,6 +1499,7 @@ again:
 
 	mutex_obj_free(ifp->if_ioctl_lock);
 	ifp->if_ioctl_lock = NULL;
+	mutex_obj_free(ifp->if_snd.ifq_lock);
 
 	splx(s);

CVS commit: src/sys/net

2018-01-30 Thread Ryota Ozaki 
Module Name:src
Committed By:   ozaki-r
Date:   Tue Jan 30 10:40:02 UTC 2018

Modified Files:
src/sys/net: if.c

Log Message:
Destroy ifq_lock at the end of if_detach

It still can be used in if_detach.


To generate a diff of this commit:
cvs rdiff -u -r1.418 -r1.419 src/sys/net/if.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/dev/usb

2018-01-30 Thread SAITOH Masanobu 
Module Name:src
Committed By:   msaitoh
Date:   Tue Jan 30 08:53:39 UTC 2018

Modified Files:
src/sys/dev/usb: xhci.c

Log Message:
 Avoid panic while detaching xhci. The xhci driver has both sc_child and
sc_child2 but xhci_childdet() only supported sc_child. OK'd by Nick.


To generate a diff of this commit:
cvs rdiff -u -r1.83 -r1.84 src/sys/dev/usb/xhci.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/usb/xhci.c
diff -u src/sys/dev/usb/xhci.c:1.83 src/sys/dev/usb/xhci.c:1.84
--- src/sys/dev/usb/xhci.c:1.83	Wed Dec 20 08:21:11 2017
+++ src/sys/dev/usb/xhci.c	Tue Jan 30 08:53:39 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xhci.c,v 1.83 2017/12/20 08:21:11 skrll Exp $	*/
+/*	$NetBSD: xhci.c,v 1.84 2018/01/30 08:53:39 msaitoh Exp $	*/
 
 /*
  * Copyright (c) 2013 Jonathan A. Kollasch
@@ -34,7 +34,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.83 2017/12/20 08:21:11 skrll Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.84 2018/01/30 08:53:39 msaitoh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -577,8 +577,10 @@ xhci_childdet(device_t self, device_t ch
 {
 	struct xhci_softc * const sc = device_private(self);
 
-	KASSERT(sc->sc_child == child);
-	if (child == sc->sc_child)
+	KASSERT((sc->sc_child == child) || (sc->sc_child2 == child));
+	if (child == sc->sc_child2)
+		sc->sc_child2 = NULL;
+	else if (child == sc->sc_child)
 		sc->sc_child = NULL;
 }

CVS commit: src/sys/dev/usb

2018-01-30 Thread SAITOH Masanobu 
Module Name:src
Committed By:   msaitoh
Date:   Tue Jan 30 08:53:39 UTC 2018

Modified Files:
src/sys/dev/usb: xhci.c

Log Message:
 Avoid panic while detaching xhci. The xhci driver has both sc_child and
sc_child2 but xhci_childdet() only supported sc_child. OK'd by Nick.


To generate a diff of this commit:
cvs rdiff -u -r1.83 -r1.84 src/sys/dev/usb/xhci.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

CVS commit: src/sys/dev/pci

2018-01-30 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Tue Jan 30 08:15:47 UTC 2018

Modified Files:
src/sys/dev/pci: if_wm.c

Log Message:
Make wm(4) watchdog MP-safe. There is almost no influence on performance.

wm(4) does not use ifp->if_watchdog now, that is, it does not touch
ifp->if_timer.
It also uses own callout(wm_tick) as watchdog now. The watchdog uses
per-queue counter to check timeout. So, global lock is not required.


To generate a diff of this commit:
cvs rdiff -u -r1.561 -r1.562 src/sys/dev/pci/if_wm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/pci/if_wm.c
diff -u src/sys/dev/pci/if_wm.c:1.561 src/sys/dev/pci/if_wm.c:1.562
--- src/sys/dev/pci/if_wm.c:1.561	Mon Jan 29 04:17:32 2018
+++ src/sys/dev/pci/if_wm.c	Tue Jan 30 08:15:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wm.c,v 1.561 2018/01/29 04:17:32 knakahara Exp $	*/
+/*	$NetBSD: if_wm.c,v 1.562 2018/01/30 08:15:47 knakahara Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003, 2004 Wasabi Systems, Inc.
@@ -83,7 +83,7 @@
  */
 
 #include 
-__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.561 2018/01/29 04:17:32 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wm.c,v 1.562 2018/01/30 08:15:47 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
@@ -183,6 +183,11 @@ int	wm_debug = WM_DEBUG_TX | WM_DEBUG_RX
 int wm_disable_msi = WM_DISABLE_MSI;
 int wm_disable_msix = WM_DISABLE_MSIX;
 
+#ifndef WM_WATCHDOG_TIMEOUT
+#define WM_WATCHDOG_TIMEOUT 5
+#endif
+static int wm_watchdog_timeout = WM_WATCHDOG_TIMEOUT;
+
 /*
  * Transmit descriptor list size.  Due to errata, we can only have
  * 256 hardware descriptors in the ring on < 82544, but we use 4096
@@ -363,6 +368,9 @@ struct wm_txqueue {
 
 	bool txq_stopping;
 
+	bool txq_watchdog;
+	time_t txq_lastsent;
+
 	uint32_t txq_packets;		/* for AIM */
 	uint32_t txq_bytes;		/* for AIM */
 #ifdef WM_EVENT_COUNTERS
@@ -680,8 +688,8 @@ static int	wm_detach(device_t, int);
 static bool	wm_suspend(device_t, const pmf_qual_t *);
 static bool	wm_resume(device_t, const pmf_qual_t *);
 static void	wm_watchdog(struct ifnet *);
-static void	wm_watchdog_txq(struct ifnet *, struct wm_txqueue *);
-static void	wm_watchdog_txq_locked(struct ifnet *, struct wm_txqueue *);
+static void	wm_watchdog_txq(struct ifnet *, struct wm_txqueue *, uint16_t *);
+static void	wm_watchdog_txq_locked(struct ifnet *, struct wm_txqueue *, uint16_t *);
 static void	wm_tick(void *);
 static int	wm_ifflags_cb(struct ethercom *);
 static int	wm_ioctl(struct ifnet *, u_long, void *);
@@ -2683,7 +2691,7 @@ alloc_retry:
 		if (wm_is_using_multiqueue(sc))
 			ifp->if_transmit = wm_transmit;
 	}
-	ifp->if_watchdog = wm_watchdog;
+	/* wm(4) doest not use ifp->if_watchdog, use wm_tick as watchdog. */
 	ifp->if_init = wm_init;
 	ifp->if_stop = wm_stop;
 	IFQ_SET_MAXLEN(>if_snd, max(WM_IFQUEUELEN, IFQ_MAXLEN));
@@ -2945,37 +2953,47 @@ wm_watchdog(struct ifnet *ifp)
 {
 	int qid;
 	struct wm_softc *sc = ifp->if_softc;
+	uint16_t hang_queue = 0; /* Max queue number of wm(4) is 82576's 16. */
 
 	for (qid = 0; qid < sc->sc_nqueues; qid++) {
 		struct wm_txqueue *txq = >sc_queue[qid].wmq_txq;
 
-		wm_watchdog_txq(ifp, txq);
+		wm_watchdog_txq(ifp, txq, _queue);
 	}
 
-	/* Reset the interface. */
-	(void) wm_init(ifp);
-
 	/*
-	 * There are still some upper layer processing which call
-	 * ifp->if_start(). e.g. ALTQ or one CPU system
+	 * IF any of queues hanged up, reset the interface.
 	 */
-	/* Try to get more packets going. */
-	ifp->if_start(ifp);
+	if (hang_queue != 0) {
+		(void) wm_init(ifp);
+
+		/*
+		 * There are still some upper layer processing which call
+		 * ifp->if_start(). e.g. ALTQ or one CPU system
+		 */
+		/* Try to get more packets going. */
+		ifp->if_start(ifp);
+	}
 }
 
+
 static void
-wm_watchdog_txq(struct ifnet *ifp, struct wm_txqueue *txq)
+wm_watchdog_txq(struct ifnet *ifp, struct wm_txqueue *txq, uint16_t *hang)
 {
 
 	mutex_enter(txq->txq_lock);
-	wm_watchdog_txq_locked(ifp, txq);
+	if (txq->txq_watchdog &&
+	time_uptime - txq->txq_lastsent > wm_watchdog_timeout) {
+		wm_watchdog_txq_locked(ifp, txq, hang);
+	}
 	mutex_exit(txq->txq_lock);
 }
 
 static void
-wm_watchdog_txq_locked(struct ifnet *ifp, struct wm_txqueue *txq)
+wm_watchdog_txq_locked(struct ifnet *ifp, struct wm_txqueue *txq, uint16_t *hang)
 {
 	struct wm_softc *sc = ifp->if_softc;
+	struct wm_queue *wmq = container_of(txq, struct wm_queue, wmq_txq);
 
 	KASSERT(mutex_owned(txq->txq_lock));
 
@@ -2984,6 +3002,8 @@ wm_watchdog_txq_locked(struct ifnet *ifp
 	 * before we report an error.
 	 */
 	wm_txeof(txq, UINT_MAX);
+	if (txq->txq_watchdog)
+		*hang |= __BIT(wmq->wmq_id);
 
 	if (txq->txq_free != WM_NTXDESC(txq)) {
 #ifdef WM_DEBUG
@@ -3044,8 +3064,13 @@ wm_tick(void *arg)
 
 	WM_CORE_LOCK(sc);
 
-	if (sc->sc_core_stopping)
-		goto out;
+	if (sc->sc_core_stopping) {
+		WM_CORE_UNLOCK(sc);
+#ifndef WM_MPSAFE
+		splx(s);

CVS commit: src/sys/dev/pci

2018-01-30 Thread Kengo NAKAHARA 
Module Name:src
Committed By:   knakahara
Date:   Tue Jan 30 08:15:47 UTC 2018

Modified Files:
src/sys/dev/pci: if_wm.c

Log Message:
Make wm(4) watchdog MP-safe. There is almost no influence on performance.

wm(4) does not use ifp->if_watchdog now, that is, it does not touch
ifp->if_timer.
It also uses own callout(wm_tick) as watchdog now. The watchdog uses
per-queue counter to check timeout. So, global lock is not required.


To generate a diff of this commit:
cvs rdiff -u -r1.561 -r1.562 src/sys/dev/pci/if_wm.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.