CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src
Committed By: martin
Date: Thu May 17 13:47:24 UTC 2018
Modified Files:
src/sys/net/npf [netbsd-6-1]: npf_alg_icmp.c npf_inet.c
Log Message:
Pull up following revision(s) via patch (requested by maxv in ticket #1549):
sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28
Fix use-after-free.
The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.
Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
To generate a diff of this commit:
cvs rdiff -u -r1.8.4.7 -r1.8.4.7.2.1 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.10.4.9.2.1 -r1.10.4.9.2.2 src/sys/net/npf/npf_inet.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_alg_icmp.c
diff -u src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 src/sys/net/npf/npf_alg_icmp.c:1.8.4.7.2.1
--- src/sys/net/npf/npf_alg_icmp.c:1.8.4.7 Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf_alg_icmp.c Thu May 17 13:47:24 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.8.4.7.2.1 2018/05/17 13:47:24 martin Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7 2013/02/11 21:49:49 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.8.4.7.2.1 2018/05/17 13:47:24 martin Exp $");
#include
#include
@@ -162,12 +162,14 @@ npfa_icmp_match(npf_cache_t *npc, nbuf_t
/*
* npfa_icmp{4,6}_inspect: retrieve unique identifiers - either ICMP query
* ID or TCP/UDP ports of the original packet, which is embedded.
+ *
+ * => Sets hasqid=true if the packet has a Query Id. In this case neither
+ *the nbuf nor npc is touched.
*/
static bool
-npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf)
+npfa_icmp4_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid)
{
- u_int offby;
/* Per RFC 792. */
switch (type) {
@@ -191,12 +193,8 @@ npfa_icmp4_inspect(const int type, npf_c
case ICMP_TSTAMPREPLY:
case ICMP_IREQ:
case ICMP_IREQREPLY:
- /* Should contain ICMP query ID - ensure. */
- offby = offsetof(struct icmp, icmp_id);
- if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
- return false;
- }
- npc->npc_info |= NPC_ICMP_ID;
+ /* Contains ICMP query ID. */
+ *hasqid = true;
return true;
default:
break;
@@ -205,9 +203,8 @@ npfa_icmp4_inspect(const int type, npf_c
}
static bool
-npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf)
+npfa_icmp6_inspect(const int type, npf_cache_t *npc, nbuf_t *nbuf, bool *hasqid)
{
- u_int offby;
/* Per RFC 4443. */
switch (type) {
@@ -226,12 +223,8 @@ npfa_icmp6_inspect(const int type, npf_c
case ICMP6_ECHO_REQUEST:
case ICMP6_ECHO_REPLY:
- /* Should contain ICMP query ID - ensure. */
- offby = offsetof(struct icmp6_hdr, icmp6_id);
- if (!nbuf_advance(nbuf, offby, sizeof(uint16_t))) {
- return false;
- }
- npc->npc_info |= NPC_ICMP_ID;
+ /* Contains ICMP query ID. */
+ *hasqid = true;
return true;
default:
break;
@@ -242,12 +235,12 @@ npfa_icmp6_inspect(const int type, npf_c
/*
* npfa_icmp_session: ALG ICMP inspector.
*
- * => Returns true if "enpc" is filled.
+ * => Returns false if there is a problem with the format.
*/
static bool
npfa_icmp_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_cache_t *enpc)
{
- bool ret;
+ bool ret, hasqid = false;
KASSERT(npf_iscached(npc, NPC_IP46));
KASSERT(npf_iscached(npc, NPC_ICMP));
@@ -265,10 +258,10 @@ npfa_icmp_inspect(npf_cache_t *npc, nbuf
*/
if (npf_iscached(npc, NPC_IP4)) {
const struct icmp *ic = npc->npc_l4.icmp;
- ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf);
+ ret = npfa_icmp4_inspect(ic->icmp_type, enpc, nbuf, );
} else if
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu May 17 13:47:24 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6-1]: npf_alg_icmp.c npf_inet.c Log Message: Pull up following revision(s) via patch (requested by maxv in ticket #1549): sys/net/npf/npf_inet.c: revision 1.45 sys/net/npf/npf_alg_icmp.c: revision 1.27,1.28 Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. To generate a diff of this commit: cvs rdiff -u -r1.8.4.7 -r1.8.4.7.2.1 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.10.4.9.2.1 -r1.10.4.9.2.2 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src Committed By: martin Date: Thu Apr 5 11:35:58 UTC 2018 Modified Files: src/sys/net/npf [netbsd-6-1]: npf.h Log Message: Pullup the following revision, requested by maxv in ticket #1542: sys/net/npf/npf.h 1.55 Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src
Committed By: martin
Date: Thu Apr 5 11:35:58 UTC 2018
Modified Files:
src/sys/net/npf [netbsd-6-1]: npf.h
Log Message:
Pullup the following revision, requested by maxv in ticket #1542:
sys/net/npf/npf.h 1.55
Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.
Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.
As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.
If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.
The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.
Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = )
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = )
Will bypass a rule of the kind "block port ". Here NPF reads the
crafted UDP header, sees , lets the packet in; later the kernel reads
the real UDP header, and delivers it on port .
Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
To generate a diff of this commit:
cvs rdiff -u -r1.14.2.12 -r1.14.2.12.2.1 src/sys/net/npf/npf.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf.h
diff -u src/sys/net/npf/npf.h:1.14.2.12 src/sys/net/npf/npf.h:1.14.2.12.2.1
--- src/sys/net/npf/npf.h:1.14.2.12 Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf.h Thu Apr 5 11:35:57 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: npf.h,v 1.14.2.12 2013/02/11 21:49:49 riz Exp $ */
+/* $NetBSD: npf.h,v 1.14.2.12.2.1 2018/04/05 11:35:57 martin Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -99,7 +99,7 @@ typedef struct {
npf_addr_t * npc_dstip;
/* Size (v4 or v6) of IP addresses. */
uint8_t npc_alen;
- uint8_t npc_hlen;
+ uint32_t npc_hlen;
uint16_t npc_proto;
/* IPv4, IPv6. */
union {
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src
Committed By: bouyer
Date: Sun Nov 17 19:17:04 UTC 2013
Modified Files:
src/sys/net/npf [netbsd-6-1]: npf_impl.h npf_nat.c npf_session.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #985):
sys/net/npf/npf_impl.h: revision 1.35
sys/net/npf/npf_nat.c: revision 1.21
sys/net/npf/npf_session.c: revision 1.26
npf_session_setnat: fix the race condition when the old connection is still
being expired while a new/duplicate is being created.
To generate a diff of this commit:
cvs rdiff -u -r1.10.2.14 -r1.10.2.14.2.1 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.10.2.8 -r1.10.2.8.2.1 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.10.4.9 -r1.10.4.9.2.1 src/sys/net/npf/npf_session.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.10.2.14 src/sys/net/npf/npf_impl.h:1.10.2.14.2.1
--- src/sys/net/npf/npf_impl.h:1.10.2.14 Mon Feb 18 18:26:14 2013
+++ src/sys/net/npf/npf_impl.h Sun Nov 17 19:17:04 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_impl.h,v 1.10.2.14 2013/02/18 18:26:14 riz Exp $ */
+/* $NetBSD: npf_impl.h,v 1.10.2.14.2.1 2013/11/17 19:17:04 bouyer Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -285,7 +285,7 @@ void npf_session_release(npf_session_t
void npf_session_expire(npf_session_t *);
bool npf_session_pass(const npf_session_t *, npf_rproc_t **);
void npf_session_setpass(npf_session_t *, npf_rproc_t *);
-int npf_session_setnat(npf_session_t *, npf_nat_t *, const int);
+int npf_session_setnat(npf_session_t *, npf_nat_t *, u_int);
npf_nat_t * npf_session_retnat(npf_session_t *, const int, bool *);
int npf_session_save(prop_array_t, prop_array_t);
Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.10.2.8 src/sys/net/npf/npf_nat.c:1.10.2.8.2.1
--- src/sys/net/npf/npf_nat.c:1.10.2.8 Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf_nat.c Sun Nov 17 19:17:04 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_nat.c,v 1.10.2.8 2013/02/11 21:49:49 riz Exp $ */
+/* $NetBSD: npf_nat.c,v 1.10.2.8.2.1 2013/11/17 19:17:04 bouyer Exp $ */
/*-
* Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.10.2.8 2013/02/11 21:49:49 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_nat.c,v 1.10.2.8.2.1 2013/11/17 19:17:04 bouyer Exp $);
#include sys/param.h
#include sys/types.h
@@ -676,7 +676,7 @@ translate:
* Note: packet now has a translated address in the cache.
*/
nt-nt_session = se;
- error = npf_session_setnat(se, nt, di);
+ error = npf_session_setnat(se, nt, np-n_type);
out:
if (error) {
/* If session was for NAT only - expire it. */
Index: src/sys/net/npf/npf_session.c
diff -u src/sys/net/npf/npf_session.c:1.10.4.9 src/sys/net/npf/npf_session.c:1.10.4.9.2.1
--- src/sys/net/npf/npf_session.c:1.10.4.9 Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf_session.c Sun Nov 17 19:17:04 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_session.c,v 1.10.4.9 2013/02/11 21:49:49 riz Exp $ */
+/* $NetBSD: npf_session.c,v 1.10.4.9.2.1 2013/11/17 19:17:04 bouyer Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -80,7 +80,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_session.c,v 1.10.4.9 2013/02/11 21:49:49 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_session.c,v 1.10.4.9.2.1 2013/11/17 19:17:04 bouyer Exp $);
#include sys/param.h
#include sys/types.h
@@ -140,7 +140,7 @@ struct npf_session {
uint16_t if_idx;
} s_common_id;
/* Flags and the protocol state. */
- int s_flags;
+ u_int s_flags;
npf_state_t s_state;
/* Association of rule procedure data. */
npf_rproc_t * s_rproc;
@@ -163,18 +163,20 @@ struct npf_sehash {
};
/*
- * Session flags:
- * - PFIL_IN and PFIL_OUT values are reserved for direction.
- * - SE_ACTIVE: session is active i.e. visible on inspection.
- * - SE_PASS: a pass session.
- * - SE_EXPIRE: explicitly expire the session.
- * - SE_REMOVING: session is being removed (indicate need to enter G/C list).
+ * Session flags: PFIL_IN and PFIL_OUT values are reserved for direction.
*/
CTASSERT(PFIL_ALL == (0x001 | 0x002));
-#define SE_ACTIVE 0x004
-#define SE_PASS 0x008
-#define SE_EXPIRE 0x010
-#define SE_REMOVING 0x020
+#define SE_ACTIVE 0x004 /* visible on inspection */
+#define SE_PASS 0x008 /* perform implicit passing */
+#define SE_EXPIRE 0x010 /* explicitly expire */
+
+/*
+ * Flags to indicate removal of forwards/backwards session entries or
+ * completion of session removal itself (i.e. both entries).
+ */
+#define SE_REMFORW 0x020
+#define SE_REMBACK 0x040
+#define SE_REMOVED (SE_REMFORW | SE_REMBACK)
/*
* Session tracking state: disabled (off), enabled (on) or flush request.
@@ -466,7 +468,7 @@ npf_session_lookup(const npf_cache_t *np
npf_sentry_t
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src Committed By: bouyer Date: Sun Nov 17 19:17:04 UTC 2013 Modified Files: src/sys/net/npf [netbsd-6-1]: npf_impl.h npf_nat.c npf_session.c Log Message: Pull up following revision(s) (requested by rmind in ticket #985): sys/net/npf/npf_impl.h: revision 1.35 sys/net/npf/npf_nat.c: revision 1.21 sys/net/npf/npf_session.c: revision 1.26 npf_session_setnat: fix the race condition when the old connection is still being expired while a new/duplicate is being created. To generate a diff of this commit: cvs rdiff -u -r1.10.2.14 -r1.10.2.14.2.1 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.10.2.8 -r1.10.2.8.2.1 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.10.4.9 -r1.10.4.9.2.1 src/sys/net/npf/npf_session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src
Committed By: riz
Date: Sun Sep 22 17:27:45 UTC 2013
Modified Files:
src/sys/net/npf [netbsd-6-1]: npf_ctl.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #952):
sys/net/npf/npf_ctl.c: revision 1.27
npfctl_rule: fixes for the dynamic rules.
To generate a diff of this commit:
cvs rdiff -u -r1.12.2.9 -r1.12.2.9.2.1 src/sys/net/npf/npf_ctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.12.2.9 src/sys/net/npf/npf_ctl.c:1.12.2.9.2.1
--- src/sys/net/npf/npf_ctl.c:1.12.2.9 Mon Feb 18 18:26:14 2013
+++ src/sys/net/npf/npf_ctl.c Sun Sep 22 17:27:45 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.12.2.9 2013/02/18 18:26:14 riz Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.12.2.9.2.1 2013/09/22 17:27:45 riz Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.12.2.9 2013/02/18 18:26:14 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_ctl.c,v 1.12.2.9.2.1 2013/09/22 17:27:45 riz Exp $);
#include sys/param.h
#include sys/conf.h
@@ -244,7 +244,7 @@ npf_mk_code(prop_object_t obj, int type,
}
break;
case NPF_CODE_BPF:
- if (!bpf_validate(cptr, clen)) {
+ if (!bpf_validate(cptr, clen / sizeof(struct bpf_insn))) {
return EINVAL;
}
break;
@@ -550,14 +550,16 @@ npfctl_rule(u_long cmd, void *data)
prop_dictionary_get_uint32(npf_rule, command, rcmd);
if (!prop_dictionary_get_cstring_nocopy(npf_rule,
ruleset-name, ruleset_name)) {
- return EINVAL;
+ error = EINVAL;
+ goto out;
}
if (rcmd == NPF_CMD_RULE_ADD) {
- if ((rl = npf_rule_alloc(npf_rule)) == NULL) {
- return EINVAL;
- }
retdict = prop_dictionary_create();
+ if (npf_mk_singlerule(npf_rule, NULL, rl, retdict) != 0) {
+ error = EINVAL;
+ goto out;
+ }
}
npf_config_enter();
@@ -618,6 +620,7 @@ npfctl_rule(u_long cmd, void *data)
if (rl) {
npf_rule_free(rl);
}
+out:
if (retdict) {
prop_object_release(npf_rule);
prop_dictionary_copyout_ioctl(pref, cmd, retdict);
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src Committed By: riz Date: Sun Sep 22 17:27:45 UTC 2013 Modified Files: src/sys/net/npf [netbsd-6-1]: npf_ctl.c Log Message: Pull up following revision(s) (requested by rmind in ticket #952): sys/net/npf/npf_ctl.c: revision 1.27 npfctl_rule: fixes for the dynamic rules. To generate a diff of this commit: cvs rdiff -u -r1.12.2.9 -r1.12.2.9.2.1 src/sys/net/npf/npf_ctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src
Committed By: msaitoh
Date: Fri Sep 13 04:17:41 UTC 2013
Modified Files:
src/sys/net/npf [netbsd-6-1]: npf_inet.c
Log Message:
Pull up following revision (requested by riz in ticket #942):
/sys/net/npf/npf_inet.crevision 1.23
Fix bugs to prevent panic:
- npf_cache_ip: re-fetch IPv6 header since nbufs might have been reallocated.
- npf_cache_all: clear NBUF_DATAREF_RESET since npf_cache_ip() handles it.
To generate a diff of this commit:
cvs rdiff -u -r1.10.4.9 -r1.10.4.9.2.1 src/sys/net/npf/npf_inet.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_inet.c
diff -u src/sys/net/npf/npf_inet.c:1.10.4.9 src/sys/net/npf/npf_inet.c:1.10.4.9.2.1
--- src/sys/net/npf/npf_inet.c:1.10.4.9 Mon Feb 11 21:49:49 2013
+++ src/sys/net/npf/npf_inet.c Fri Sep 13 04:17:41 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_inet.c,v 1.10.4.9 2013/02/11 21:49:49 riz Exp $ */
+/* $NetBSD: npf_inet.c,v 1.10.4.9.2.1 2013/09/13 04:17:41 msaitoh Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -39,7 +39,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: npf_inet.c,v 1.10.4.9 2013/02/11 21:49:49 riz Exp $);
+__KERNEL_RCSID(0, $NetBSD: npf_inet.c,v 1.10.4.9.2.1 2013/09/13 04:17:41 msaitoh Exp $);
#include sys/param.h
#include sys/types.h
@@ -391,8 +391,12 @@ npf_cache_ip(npf_cache_t *npc, nbuf_t *n
npc-npc_hlen += hlen;
}
- /* Restore the offset. */
+ /*
+ * Re-fetch the header pointers (nbufs might have been
+ * reallocated). Restore the original offset (if any).
+ */
nbuf_reset(nbuf);
+ ip6 = nbuf_dataptr(nbuf);
if (off) {
nbuf_advance(nbuf, off, 0);
}
@@ -437,6 +441,7 @@ again:
*/
flags = npf_cache_ip(npc, nbuf);
if ((flags NPC_IP46) == 0 || (flags NPC_IPFRAG) != 0) {
+ nbuf_unset_flag(nbuf, NBUF_DATAREF_RESET);
npc-npc_info |= flags;
return flags;
}
CVS commit: [netbsd-6-1] src/sys/net/npf
Module Name:src Committed By: msaitoh Date: Fri Sep 13 04:17:41 UTC 2013 Modified Files: src/sys/net/npf [netbsd-6-1]: npf_inet.c Log Message: Pull up following revision (requested by riz in ticket #942): /sys/net/npf/npf_inet.crevision 1.23 Fix bugs to prevent panic: - npf_cache_ip: re-fetch IPv6 header since nbufs might have been reallocated. - npf_cache_all: clear NBUF_DATAREF_RESET since npf_cache_ip() handles it. To generate a diff of this commit: cvs rdiff -u -r1.10.4.9 -r1.10.4.9.2.1 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
