CVS commit: src/sys/net
Module Name:src Committed By: mrg Date: Wed Jan 31 07:33:18 UTC 2018 Modified Files: src/sys/net: if_ipsec.c Log Message: apply a little more #ifdef INET/INET6. fixes !INET6 builds. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/if_ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/share/misc
Module Name:src Committed By: ginsbach Date: Tue Jan 30 22:45:12 UTC 2018 Modified Files: src/share/misc: acronyms.comp Log Message: Add more "* as a service" and "software defined *" acronyms To generate a diff of this commit: cvs rdiff -u -r1.189 -r1.190 src/share/misc/acronyms.comp Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:11:24 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-0]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.12.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.12.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.12.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:56 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.14.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.14.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:20 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.8.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.8.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.8.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 20:20:38 UTC 2018 Modified Files: src/sys/dev/ic: mpt_netbsd.c Log Message: Move mpt_disc_enable setting into is_scsi block. The field is only 16 bits, and is only refered to in the is_scsi case. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 src/sys/dev/ic/mpt_netbsd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 20:15:41 UTC 2018 Modified Files: src/sys/dev/ic: mpt.c Log Message: more-fully initialize mpt_disc_enable To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/dev/ic/mpt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/arch/shark/isa
Module Name:src Committed By: skrll Date: Tue Jan 30 19:22:28 UTC 2018 Modified Files: src/sys/arch/shark/isa: isa_irq.S Log Message: whitespace To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/arch/shark/isa/isa_irq.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/ic
Module Name:src Committed By: jakllsch Date: Tue Jan 30 19:13:09 UTC 2018 Modified Files: src/sys/dev/ic: mpt_netbsd.h Log Message: remove unused softc variables To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/dev/ic/mpt_netbsd.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:48:17 UTC 2018 Modified Files: src/doc [netbsd-6-0]: CHANGES-6.0.7 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.123 -r1.1.2.124 src/doc/CHANGES-6.0.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:47:35 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.1.4.1 -r1.52.2.1.4.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.6.1 -r1.136.6.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.6.1 -r1.58.6.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.6.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:46:45 UTC 2018 Modified Files: src/doc [netbsd-6-1]: CHANGES-6.1.6 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.120 -r1.1.2.121 src/doc/CHANGES-6.1.6 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:45:59 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.2.2.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.8.1 -r1.58.8.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.8.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:45:16 UTC 2018 Modified Files: src/doc [netbsd-6]: CHANGES-6.2 Log Message: Ticket #1523 To generate a diff of this commit: cvs rdiff -u -r1.1.2.316 -r1.1.2.317 src/doc/CHANGES-6.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-6] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:44:22 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1523): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) sys/netinet6/ah_input.c: adjust other callers (patch) sys/netinet6/esp_input.c: adjust other callers (patch) sys/netinet6/ipcomp_input.c: adjust other callers (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.52.2.2 -r1.52.2.3 src/sys/netinet6/frag6.c cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.58.2.1 -r1.58.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.109 -r1.109.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:32:34 UTC 2018 Modified Files: src/doc [netbsd-7-0]: CHANGES-7.0.3 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.74 -r1.1.2.75 src/doc/CHANGES-7.0.3 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:31:53 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.1.2.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.1.2.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136 -r1.136.6.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:31:12 UTC 2018 Modified Files: src/doc [netbsd-7-1]: CHANGES-7.1.2 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.4 -r1.1.2.5 src/doc/CHANGES-7.1.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:30:31 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.10.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.1.6.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.1.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136.2.1 -r1.136.2.1.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:29:25 UTC 2018 Modified Files: src/doc [netbsd-7]: CHANGES-7.2 Log Message: Ticket #1560 To generate a diff of this commit: cvs rdiff -u -r1.1.2.60 -r1.1.2.61 src/doc/CHANGES-7.2 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:28:46 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.4.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.2 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.2 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136.2.1 -r1.136.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/doc
Module Name:src Committed By: martin Date: Tue Jan 30 18:22:29 UTC 2018 Modified Files: src/doc [netbsd-8]: CHANGES-8.0 Log Message: Ticket #527 To generate a diff of this commit: cvs rdiff -u -r1.1.2.107 -r1.1.2.108 src/doc/CHANGES-8.0 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:21:10 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #527): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.60.6.1 -r1.60.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.178.2.3 -r1.178.2.4 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.74 -r1.74.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.157.2.1 -r1.157.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 15:54:03 UTC 2018 Modified Files: src/sys/netinet6: in6.h ip6_input.c ip6_var.h Log Message: Style, localify, remove dead code, and fix typos. No functional change. To generate a diff of this commit: cvs rdiff -u -r1.88 -r1.89 src/sys/netinet6/in6.h cvs rdiff -u -r1.188 -r1.189 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.78 -r1.79 src/sys/netinet6/ip6_var.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 15:35:31 UTC 2018 Modified Files: src/sys/netinet6: ip6_input.c Log Message: Kick nested fragments. To generate a diff of this commit: cvs rdiff -u -r1.187 -r1.188 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/crypto/external/bsd/libsaslc/dist/src
Module Name:src Committed By: shm Date: Tue Jan 30 15:28:39 UTC 2018 Modified Files: src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c Log Message: Fixed memory leak (CID: 977744) To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 \ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netinet6
Module Name:src Committed By: maxv Date: Tue Jan 30 14:49:25 UTC 2018 Modified Files: src/sys/netinet6: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/sys/netinet6/frag6.c cvs rdiff -u -r1.186 -r1.187 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.77 -r1.78 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.159 -r1.160 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/crypto/external/bsd/libsaslc/dist/src
Module Name:src Committed By: shm Date: Tue Jan 30 13:11:28 UTC 2018 Modified Files: src/crypto/external/bsd/libsaslc/dist/src: mech_digestmd5.c Log Message: Fixed potential NULL pointer dereference (CID: 978477) To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 \ src/crypto/external/bsd/libsaslc/dist/src/mech_digestmd5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/kern
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 11:03:06 UTC 2018 Modified Files: src/sys/kern: subr_workqueue.c Log Message: Check if a queued work is tried to be enqueued again, which is not allowed To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/kern/subr_workqueue.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 11:01:04 UTC 2018 Modified Files: src/sys/net: route.c Log Message: Prevent rt_free_global.wk from being enqueued to workqueue doubly To generate a diff of this commit: cvs rdiff -u -r1.205 -r1.206 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net
Module Name:src Committed By: ozaki-r Date: Tue Jan 30 10:40:02 UTC 2018 Modified Files: src/sys/net: if.c Log Message: Destroy ifq_lock at the end of if_detach It still can be used in if_detach. To generate a diff of this commit: cvs rdiff -u -r1.418 -r1.419 src/sys/net/if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/usb
Module Name:src Committed By: msaitoh Date: Tue Jan 30 08:53:39 UTC 2018 Modified Files: src/sys/dev/usb: xhci.c Log Message: Avoid panic while detaching xhci. The xhci driver has both sc_child and sc_child2 but xhci_childdet() only supported sc_child. OK'd by Nick. To generate a diff of this commit: cvs rdiff -u -r1.83 -r1.84 src/sys/dev/usb/xhci.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/dev/pci
Module Name:src Committed By: knakahara Date: Tue Jan 30 08:15:47 UTC 2018 Modified Files: src/sys/dev/pci: if_wm.c Log Message: Make wm(4) watchdog MP-safe. There is almost no influence on performance. wm(4) does not use ifp->if_watchdog now, that is, it does not touch ifp->if_timer. It also uses own callout(wm_tick) as watchdog now. The watchdog uses per-queue counter to check timeout. So, global lock is not required. To generate a diff of this commit: cvs rdiff -u -r1.561 -r1.562 src/sys/dev/pci/if_wm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
