CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 28 10:15:20 UTC 2024 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1960): sys/netinet6/frag6.c: revision 1.78 frag6: fix calculation of fragment length Because of the miscalculation, 32 bytes fragmented IPv6 packets have been wrongly dropped. See https://mail-index.netbsd.org/tech-net/2024/04/14/msg008741.html for more details. Patch from Yasuyuki KOZAKAI (with minor tweaks) To generate a diff of this commit: cvs rdiff -u -r1.60.6.6 -r1.60.6.7 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.60.6.6 src/sys/netinet6/frag6.c:1.60.6.7 --- src/sys/netinet6/frag6.c:1.60.6.6 Thu Oct 27 16:08:50 2022 +++ src/sys/netinet6/frag6.c Sun Apr 28 10:15:20 2024 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.60.6.6 2022/10/27 16:08:50 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.60.6.7 2024/04/28 10:15:20 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.6 2022/10/27 16:08:50 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.7 2024/04/28 10:15:20 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -158,9 +158,10 @@ frag6_input(struct mbuf **mp, int *offp, * sizeof(struct ip6_frag) == 8 * sizeof(struct ip6_hdr) = 40 */ - if ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) && - (((ntohs(ip6->ip6_plen) - offset) == 0) || - ((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) { + frgpartlen = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - offset + - sizeof(struct ip6_frag); + if ((frgpartlen == 0) || + ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) && (frgpartlen & 0x7) != 0)) { icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offsetof(struct ip6_hdr, ip6_plen)); in6_ifstat_inc(dstifp, ifs6_reass_fail); @@ -269,7 +270,6 @@ frag6_input(struct mbuf **mp, int *offp, * in size. * If it would exceed, discard the fragment and return an ICMP error. */ - frgpartlen = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - offset; if (q6->ip6q_unfrglen >= 0) { /* The 1st fragment has already arrived. */ if (q6->ip6q_unfrglen + fragoff + frgpartlen > IPV6_MAXPACKET) {
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 28 10:15:20 UTC 2024 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1960): sys/netinet6/frag6.c: revision 1.78 frag6: fix calculation of fragment length Because of the miscalculation, 32 bytes fragmented IPv6 packets have been wrongly dropped. See https://mail-index.netbsd.org/tech-net/2024/04/14/msg008741.html for more details. Patch from Yasuyuki KOZAKAI (with minor tweaks) To generate a diff of this commit: cvs rdiff -u -r1.60.6.6 -r1.60.6.7 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Mar 10 19:13:09 UTC 2024 Modified Files: src/sys/netinet6 [netbsd-8]: in6.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1944): sys/netinet6/in6.c: revision 1.292 netinet6: Avoid NPD on `ifconfig ifN inet6 ... pltime 0 vltime 0'. PR kern/53922 To generate a diff of this commit: cvs rdiff -u -r1.245.2.14 -r1.245.2.15 src/sys/netinet6/in6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6.c diff -u src/sys/netinet6/in6.c:1.245.2.14 src/sys/netinet6/in6.c:1.245.2.15 --- src/sys/netinet6/in6.c:1.245.2.14 Fri Aug 4 14:38:09 2023 +++ src/sys/netinet6/in6.c Sun Mar 10 19:13:09 2024 @@ -1,4 +1,4 @@ -/* $NetBSD: in6.c,v 1.245.2.14 2023/08/04 14:38:09 martin Exp $ */ +/* $NetBSD: in6.c,v 1.245.2.15 2024/03/10 19:13:09 martin Exp $ */ /* $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.245.2.14 2023/08/04 14:38:09 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.245.2.15 2024/03/10 19:13:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -708,7 +708,14 @@ in6_control1(struct socket *so, u_long c int s = splsoftnet(); error = in6_update_ifa1(ifp, ifra, , , 0); splx(s); - if (error) + /* + * in6_update_ifa1 doesn't create the address if its + * valid lifetime (vltime) is zero, since we would just + * delete the address immediately in that case anyway. + * So it may succeed but return null ia. In that case, + * nothing left to do. + */ + if (error || ia == NULL) break; pfil_run_addrhooks(if_pfil, cmd, >ia_ifa); break;
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Mar 10 19:13:09 UTC 2024 Modified Files: src/sys/netinet6 [netbsd-8]: in6.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1944): sys/netinet6/in6.c: revision 1.292 netinet6: Avoid NPD on `ifconfig ifN inet6 ... pltime 0 vltime 0'. PR kern/53922 To generate a diff of this commit: cvs rdiff -u -r1.245.2.14 -r1.245.2.15 src/sys/netinet6/in6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Aug 4 14:38:09 UTC 2023 Modified Files: src/sys/netinet6 [netbsd-8]: in6.c ip6_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1884): sys/netinet6/in6.c: revision 1.289 sys/netinet6/ip6_output.c: revision 1.234 in6: clear ND6_IFF_IFDISABLED to allow DAD again on link-up in6: don't send any IPv6 packets over a disabled interface To generate a diff of this commit: cvs rdiff -u -r1.245.2.13 -r1.245.2.14 src/sys/netinet6/in6.c cvs rdiff -u -r1.191.6.5 -r1.191.6.6 src/sys/netinet6/ip6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6.c diff -u src/sys/netinet6/in6.c:1.245.2.13 src/sys/netinet6/in6.c:1.245.2.14 --- src/sys/netinet6/in6.c:1.245.2.13 Thu Oct 8 18:06:13 2020 +++ src/sys/netinet6/in6.c Fri Aug 4 14:38:09 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: in6.c,v 1.245.2.13 2020/10/08 18:06:13 martin Exp $ */ +/* $NetBSD: in6.c,v 1.245.2.14 2023/08/04 14:38:09 martin Exp $ */ /* $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.245.2.13 2020/10/08 18:06:13 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.245.2.14 2023/08/04 14:38:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2311,6 +2311,10 @@ in6_if_link_down(struct ifnet *ifp) } pserialize_read_exit(s); curlwp_bindx(bound); + + /* Clear ND6_IFF_IFDISABLED to allow DAD again on link-up. */ + if (ifp->if_afdata[AF_INET6] != NULL) + ND_IFINFO(ifp)->flags &= ~ND6_IFF_IFDISABLED; } void Index: src/sys/netinet6/ip6_output.c diff -u src/sys/netinet6/ip6_output.c:1.191.6.5 src/sys/netinet6/ip6_output.c:1.191.6.6 --- src/sys/netinet6/ip6_output.c:1.191.6.5 Thu Mar 23 12:08:39 2023 +++ src/sys/netinet6/ip6_output.c Fri Aug 4 14:38:09 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $ */ +/* $NetBSD: ip6_output.c,v 1.191.6.6 2023/08/04 14:38:09 martin Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.6 2023/08/04 14:38:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -197,6 +197,12 @@ ip6_if_output(struct ifnet * const ifp, } } + /* discard the packet if IPv6 operation is disabled on the interface */ + if ((ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED)) { + m_freem(m); + return ENETDOWN; /* better error? */ + } + if ((ifp->if_flags & IFF_LOOPBACK) != 0) error = if_output_lock(ifp, origifp, m, sin6tocsa(dst), rt); else
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Aug 4 14:38:09 UTC 2023 Modified Files: src/sys/netinet6 [netbsd-8]: in6.c ip6_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1884): sys/netinet6/in6.c: revision 1.289 sys/netinet6/ip6_output.c: revision 1.234 in6: clear ND6_IFF_IFDISABLED to allow DAD again on link-up in6: don't send any IPv6 packets over a disabled interface To generate a diff of this commit: cvs rdiff -u -r1.245.2.13 -r1.245.2.14 src/sys/netinet6/in6.c cvs rdiff -u -r1.191.6.5 -r1.191.6.6 src/sys/netinet6/ip6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Aug 4 14:24:16 UTC 2023 Modified Files: src/sys/netinet6 [netbsd-8]: in6_src.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1883): sys/netinet6/in6_src.c: revision 1.92 in6: add missing rtcache_unref to in6_selectroute By default, this issue is harmless. However, if NET_MPSAFE is enabled, it could eventually lead to a kernel panic. To generate a diff of this commit: cvs rdiff -u -r1.79.6.3 -r1.79.6.4 src/sys/netinet6/in6_src.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Aug 4 14:24:16 UTC 2023 Modified Files: src/sys/netinet6 [netbsd-8]: in6_src.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1883): sys/netinet6/in6_src.c: revision 1.92 in6: add missing rtcache_unref to in6_selectroute By default, this issue is harmless. However, if NET_MPSAFE is enabled, it could eventually lead to a kernel panic. To generate a diff of this commit: cvs rdiff -u -r1.79.6.3 -r1.79.6.4 src/sys/netinet6/in6_src.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6_src.c diff -u src/sys/netinet6/in6_src.c:1.79.6.3 src/sys/netinet6/in6_src.c:1.79.6.4 --- src/sys/netinet6/in6_src.c:1.79.6.3 Wed Aug 11 17:24:42 2021 +++ src/sys/netinet6/in6_src.c Fri Aug 4 14:24:16 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_src.c,v 1.79.6.3 2021/08/11 17:24:42 martin Exp $ */ +/* $NetBSD: in6_src.c,v 1.79.6.4 2023/08/04 14:24:16 martin Exp $ */ /* $KAME: in6_src.c,v 1.159 2005/10/19 01:40:32 t-momose Exp $ */ /* @@ -66,7 +66,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.79.6.3 2021/08/11 17:24:42 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.79.6.4 2023/08/04 14:24:16 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -704,6 +704,7 @@ in6_selectroute(struct sockaddr_in6 *dst if (count_discard) in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard); error = EHOSTUNREACH; + rtcache_unref(rt, *ro); rt = NULL; } }
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Mar 23 12:08:39 UTC 2023 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_output.c raw_ip6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1808): sys/netinet6/raw_ip6.c: revision 1.183 (via patch) sys/netinet6/ip6_output.c: revision 1.233 in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM) Same as OpenBSD. in6: make sure a user-specified checksum field is within a packet >From OpenBSD To generate a diff of this commit: cvs rdiff -u -r1.191.6.4 -r1.191.6.5 src/sys/netinet6/ip6_output.c cvs rdiff -u -r1.157.2.5 -r1.157.2.6 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_output.c diff -u src/sys/netinet6/ip6_output.c:1.191.6.4 src/sys/netinet6/ip6_output.c:1.191.6.5 --- src/sys/netinet6/ip6_output.c:1.191.6.4 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet6/ip6_output.c Thu Mar 23 12:08:39 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_output.c,v 1.191.6.4 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.4 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2028,8 +2028,12 @@ ip6_raw_ctloutput(int op, struct socket error = sockopt_getint(sopt, ); if (error) break; - if ((optval % 2) != 0) { -/* the API assumes even offset values */ + if (optval < -1 || + (optval > 0 && (optval % 2) != 0)) { +/* + * The API assumes non-negative even offset + * values or -1 as a special value. + */ error = EINVAL; } else if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) { Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.157.2.5 src/sys/netinet6/raw_ip6.c:1.157.2.6 --- src/sys/netinet6/raw_ip6.c:1.157.2.5 Tue Jan 29 07:04:09 2019 +++ src/sys/netinet6/raw_ip6.c Thu Mar 23 12:08:39 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.157.2.5 2019/01/29 07:04:09 msaitoh Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.157.2.6 2023/03/23 12:08:39 martin Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.5 2019/01/29 07:04:09 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.6 2023/03/23 12:08:39 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_ipsec.h" @@ -192,7 +192,16 @@ rip6_input(struct mbuf **mp, int *offp, continue; if (in6p->in6p_cksum != -1) { RIP6_STATINC(RIP6_STAT_ISUM); - if (in6_cksum(m, proto, *offp, + /* + * Although in6_cksum() does not need the position of + * the checksum field for verification, enforce that it + * is located within the packet. Userland has given + * a checksum offset, a packet too short for that is + * invalid. Avoid overflow with user supplied offset. + */ + if (m->m_pkthdr.len < *offp + 2 || + m->m_pkthdr.len - *offp - 2 < in6p->in6p_cksum || + in6_cksum(m, proto, *offp, m->m_pkthdr.len - *offp)) { RIP6_STATINC(RIP6_STAT_BADSUM); continue; @@ -491,7 +500,7 @@ rip6_output(struct mbuf *m, struct socke off = offsetof(struct icmp6_hdr, icmp6_cksum); else off = in6p->in6p_cksum; - if (plen < off + 1) { + if (plen < 2 || plen - 2 < off) { error = EINVAL; goto bad; }
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Mar 23 12:08:39 UTC 2023 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_output.c raw_ip6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1808): sys/netinet6/raw_ip6.c: revision 1.183 (via patch) sys/netinet6/ip6_output.c: revision 1.233 in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM) Same as OpenBSD. in6: make sure a user-specified checksum field is within a packet >From OpenBSD To generate a diff of this commit: cvs rdiff -u -r1.191.6.4 -r1.191.6.5 src/sys/netinet6/ip6_output.c cvs rdiff -u -r1.157.2.5 -r1.157.2.6 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Oct 27 16:08:50 UTC 2022 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1778): sys/netinet6/frag6.c: revision 1.76 frag6: don't use spin mutex for frag6_lock frag6_lock is held during sending a packet (icmp6_error), so we must not use a spin mutex because we can acquire sleep locks on sending a packet. Also we don't need to use spin mutex for frag6_lock anymore because frag6_lock is now not used from hardware interrupt context. To generate a diff of this commit: cvs rdiff -u -r1.60.6.5 -r1.60.6.6 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.60.6.5 src/sys/netinet6/frag6.c:1.60.6.6 --- src/sys/netinet6/frag6.c:1.60.6.5 Thu Sep 27 15:07:35 2018 +++ src/sys/netinet6/frag6.c Thu Oct 27 16:08:50 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.60.6.5 2018/09/27 15:07:35 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.60.6.6 2022/10/27 16:08:50 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.5 2018/09/27 15:07:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.6 2022/10/27 16:08:50 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -80,7 +80,7 @@ frag6_init(void) { ip6q.ip6q_next = ip6q.ip6q_prev = - mutex_init(_lock, MUTEX_DEFAULT, IPL_NET); + mutex_init(_lock, MUTEX_DEFAULT, IPL_NONE); } /*
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Oct 27 16:08:50 UTC 2022 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1778): sys/netinet6/frag6.c: revision 1.76 frag6: don't use spin mutex for frag6_lock frag6_lock is held during sending a packet (icmp6_error), so we must not use a spin mutex because we can acquire sleep locks on sending a packet. Also we don't need to use spin mutex for frag6_lock anymore because frag6_lock is now not used from hardware interrupt context. To generate a diff of this commit: cvs rdiff -u -r1.60.6.5 -r1.60.6.6 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Aug 20 19:34:49 UTC 2021 Modified Files: src/sys/netinet6 [netbsd-8]: nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1692): sys/netinet6/nd6.c: revision 1.277 nd6: prevent ln from being freed while releasing held packets To generate a diff of this commit: cvs rdiff -u -r1.232.2.13 -r1.232.2.14 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6.c diff -u src/sys/netinet6/nd6.c:1.232.2.13 src/sys/netinet6/nd6.c:1.232.2.14 --- src/sys/netinet6/nd6.c:1.232.2.13 Mon Sep 30 15:48:45 2019 +++ src/sys/netinet6/nd6.c Fri Aug 20 19:34:49 2021 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6.c,v 1.232.2.13 2019/09/30 15:48:45 martin Exp $ */ +/* $NetBSD: nd6.c,v 1.232.2.14 2021/08/20 19:34:49 martin Exp $ */ /* $KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.13 2019/09/30 15:48:45 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.14 2021/08/20 19:34:49 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -2014,6 +2014,7 @@ nd6_llinfo_release_pkts(struct llentry * m_hold = ln->la_hold, ln->la_hold = NULL, ln->la_numheld = 0; + LLE_ADDREF(ln); LLE_WUNLOCK(ln); for (; m_hold != NULL; m_hold = m_hold_next) { m_hold_next = m_hold->m_nextpkt; @@ -2027,6 +2028,7 @@ nd6_llinfo_release_pkts(struct llentry * ip6_if_output(ifp, ifp, m_hold, , NULL); } LLE_WLOCK(ln); + LLE_REMREF(ln); } /*
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Aug 20 19:34:49 UTC 2021 Modified Files: src/sys/netinet6 [netbsd-8]: nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1692): sys/netinet6/nd6.c: revision 1.277 nd6: prevent ln from being freed while releasing held packets To generate a diff of this commit: cvs rdiff -u -r1.232.2.13 -r1.232.2.14 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Wed Aug 11 17:24:43 UTC 2021 Modified Files: src/sys/netinet6 [netbsd-8]: in6_src.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1690): sys/netinet6/in6_src.c: revision 1.88 PR kern/56348 MTU discovery fails with IPv6 sockets bound to IPv4 mapped address pick up the IPv4 route for IPv4 mapped IPv6 address to get the correct MTU and not any unrelated/inappropriate MTU from IPv6 routes. IPv4 mapped IPv6 addresses are always handled by the IPv4 stack and MTU discovery is solely handled with the IPv4 routing table. To generate a diff of this commit: cvs rdiff -u -r1.79.6.2 -r1.79.6.3 src/sys/netinet6/in6_src.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6_src.c diff -u src/sys/netinet6/in6_src.c:1.79.6.2 src/sys/netinet6/in6_src.c:1.79.6.3 --- src/sys/netinet6/in6_src.c:1.79.6.2 Sun Dec 10 09:24:30 2017 +++ src/sys/netinet6/in6_src.c Wed Aug 11 17:24:42 2021 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_src.c,v 1.79.6.2 2017/12/10 09:24:30 snj Exp $ */ +/* $NetBSD: in6_src.c,v 1.79.6.3 2021/08/11 17:24:42 martin Exp $ */ /* $KAME: in6_src.c,v 1.159 2005/10/19 01:40:32 t-momose Exp $ */ /* @@ -66,7 +66,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.79.6.2 2017/12/10 09:24:30 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.79.6.3 2021/08/11 17:24:42 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -608,6 +608,7 @@ in6_selectroute(struct sockaddr_in6 *dst struct rtentry *rt = NULL; union { struct sockaddr dst; + struct sockaddr_in dst4; struct sockaddr_in6 dst6; } u; @@ -674,9 +675,17 @@ in6_selectroute(struct sockaddr_in6 *dst * Use a cached route if it exists and is valid, else try to allocate * a new one. Note that we should check the address family of the * cached destination, in case of sharing the cache with IPv4. + * + * for V4 mapped addresses we want to pick up the v4 route + * see PR kern/56348 */ - u.dst6 = *dstsock; - u.dst6.sin6_scope_id = 0; + if (IN6_IS_ADDR_V4MAPPED(>sin6_addr)) { + in6_sin6_2_sin(, dstsock); + } else { + u.dst6 = *dstsock; + u.dst6.sin6_scope_id = 0; + } + rt = rtcache_lookup1(*ro, , 1); if (rt == NULL)
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Wed Aug 11 17:24:43 UTC 2021 Modified Files: src/sys/netinet6 [netbsd-8]: in6_src.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1690): sys/netinet6/in6_src.c: revision 1.88 PR kern/56348 MTU discovery fails with IPv6 sockets bound to IPv4 mapped address pick up the IPv4 route for IPv4 mapped IPv6 address to get the correct MTU and not any unrelated/inappropriate MTU from IPv6 routes. IPv4 mapped IPv6 addresses are always handled by the IPv4 stack and MTU discovery is solely handled with the IPv4 routing table. To generate a diff of this commit: cvs rdiff -u -r1.79.6.2 -r1.79.6.3 src/sys/netinet6/in6_src.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Wed Apr 15 14:27:54 UTC 2020 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by kim in ticket #1531): sys/netinet6/nd6_rtr.c: revision 1.148 Fix default route selection The primary issue was that in revision 1.79 a check was added in the nd6_defrouter_select() search loop to ignore the entry if RA processing is enabled on its interface. In practice this results in all entries being ignored. This fix reverses the condition, so that an entry is ignored when RA processing is NOT enabled on its interface. Further, the entry is only ignored for being selected as the default router. The currently installed router must be identified regardless of the (current) status of its interface, so that we can delete the route before installing a new one. I also added error logging when adding or deleting a route fails. This should help the administrator (or kernel developer) in noticing possible problems. Finally, if deleting a route fails, the corresponding default route entry no longer has its "installed" flag cleared, so that deletion will be retried. At a minimum, this will cause repeated messages about the failed deletion as opposed to only getting repeated messages about the installation of a new default route failing. Fixes PR kern/55091 and also PR bin/54997 as far as the behaviour observed with ndp(8). To generate a diff of this commit: cvs rdiff -u -r1.135.6.4 -r1.135.6.5 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_rtr.c diff -u src/sys/netinet6/nd6_rtr.c:1.135.6.4 src/sys/netinet6/nd6_rtr.c:1.135.6.5 --- src/sys/netinet6/nd6_rtr.c:1.135.6.4 Wed Aug 15 12:09:58 2018 +++ src/sys/netinet6/nd6_rtr.c Wed Apr 15 14:27:54 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_rtr.c,v 1.135.6.4 2018/08/15 12:09:58 martin Exp $ */ +/* $NetBSD: nd6_rtr.c,v 1.135.6.5 2020/04/15 14:27:54 martin Exp $ */ /* $KAME: nd6_rtr.c,v 1.95 2001/02/07 08:09:47 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.135.6.4 2018/08/15 12:09:58 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.135.6.5 2020/04/15 14:27:54 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -495,6 +495,11 @@ defrouter_addreq(struct nd_defrouter *ne if (error == 0) { nd6_numroutes++; newdr->installed = 1; + } else { + char ip6buf[INET6_ADDRSTRLEN]; + log(LOG_ERR, "defrouter_addreq: " + "error %d adding default router %s on %s\n", + error, IN6_PRINT(ip6buf, >rtaddr), newdr->ifp->if_xname); } #ifndef NET_MPSAFE splx(s); @@ -604,10 +609,15 @@ defrouter_delreq(struct nd_defrouter *dr error = rtrequest_newmsg(RTM_DELETE, , , , RTF_GATEWAY); - if (error == 0) + if (error == 0) { nd6_numroutes--; - - dr->installed = 0; + dr->installed = 0; + } else { + char ip6buf[INET6_ADDRSTRLEN]; + log(LOG_ERR, "defrouter_delreq: " + "error %d deleting default router %s on %s\n", + error, IN6_PRINT(ip6buf, >rtaddr), dr->ifp->if_xname); + } } /* @@ -683,14 +693,6 @@ nd6_defrouter_select(void) * the ordering rule of the list described in defrtrlist_update(). */ ND_DEFROUTER_LIST_FOREACH(dr) { - ndi = ND_IFINFO(dr->ifp); - if (nd6_accepts_rtadv(ndi)) - continue; - - if (selected_dr == NULL && - nd6_is_llinfo_probreach(dr)) - selected_dr = dr; - if (dr->installed && !installed_dr) installed_dr = dr; else if (dr->installed && installed_dr) { @@ -698,6 +700,14 @@ nd6_defrouter_select(void) log(LOG_ERR, "nd6_defrouter_select: more than one router" " is installed\n"); } + + ndi = ND_IFINFO(dr->ifp); + if (!nd6_accepts_rtadv(ndi)) + continue; + + if (selected_dr == NULL && + nd6_is_llinfo_probreach(dr)) + selected_dr = dr; } /* * If none of the default routers was found to be reachable,
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Wed Apr 15 14:27:54 UTC 2020 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by kim in ticket #1531): sys/netinet6/nd6_rtr.c: revision 1.148 Fix default route selection The primary issue was that in revision 1.79 a check was added in the nd6_defrouter_select() search loop to ignore the entry if RA processing is enabled on its interface. In practice this results in all entries being ignored. This fix reverses the condition, so that an entry is ignored when RA processing is NOT enabled on its interface. Further, the entry is only ignored for being selected as the default router. The currently installed router must be identified regardless of the (current) status of its interface, so that we can delete the route before installing a new one. I also added error logging when adding or deleting a route fails. This should help the administrator (or kernel developer) in noticing possible problems. Finally, if deleting a route fails, the corresponding default route entry no longer has its "installed" flag cleared, so that deletion will be retried. At a minimum, this will cause repeated messages about the failed deletion as opposed to only getting repeated messages about the installation of a new default route failing. Fixes PR kern/55091 and also PR bin/54997 as far as the behaviour observed with ndp(8). To generate a diff of this commit: cvs rdiff -u -r1.135.6.4 -r1.135.6.5 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Mon Sep 23 08:17:24 UTC 2019 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1383): sys/netinet6/nd6_nbr.c: revision 1.173 nd6: remove extra pserialize_read_exit To generate a diff of this commit: cvs rdiff -u -r1.138.6.7 -r1.138.6.8 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Mon Sep 23 08:17:24 UTC 2019 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1383): sys/netinet6/nd6_nbr.c: revision 1.173 nd6: remove extra pserialize_read_exit To generate a diff of this commit: cvs rdiff -u -r1.138.6.7 -r1.138.6.8 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_nbr.c diff -u src/sys/netinet6/nd6_nbr.c:1.138.6.7 src/sys/netinet6/nd6_nbr.c:1.138.6.8 --- src/sys/netinet6/nd6_nbr.c:1.138.6.7 Mon May 13 09:04:38 2019 +++ src/sys/netinet6/nd6_nbr.c Mon Sep 23 08:17:24 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_nbr.c,v 1.138.6.7 2019/05/13 09:04:38 martin Exp $ */ +/* $NetBSD: nd6_nbr.c,v 1.138.6.8 2019/09/23 08:17:24 martin Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.138.6.7 2019/05/13 09:04:38 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.138.6.8 2019/09/23 08:17:24 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -478,7 +478,6 @@ nd6_ns_output(struct ifnet *ifp, const s "determined: dst=%s, error=%d\n", IN6_PRINT(ip6buf, _sa.sin6_addr), error); -pserialize_read_exit(s); goto bad; } src = _in;
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Mon Aug 19 14:28:13 UTC 2019 Modified Files: src/sys/netinet6 [netbsd-8]: nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1340): sys/netinet6/nd6.c: revision 1.257 Add missing IFNET_LOCK for regen_tmpaddr Reported by ryo@ To generate a diff of this commit: cvs rdiff -u -r1.232.2.11 -r1.232.2.12 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6.c diff -u src/sys/netinet6/nd6.c:1.232.2.11 src/sys/netinet6/nd6.c:1.232.2.12 --- src/sys/netinet6/nd6.c:1.232.2.11 Fri Jul 26 11:27:36 2019 +++ src/sys/netinet6/nd6.c Mon Aug 19 14:28:12 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6.c,v 1.232.2.11 2019/07/26 11:27:36 martin Exp $ */ +/* $NetBSD: nd6.c,v 1.232.2.12 2019/08/19 14:28:12 martin Exp $ */ /* $KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.11 2019/07/26 11:27:36 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.12 2019/08/19 14:28:12 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -668,8 +668,12 @@ nd6_timer_work(struct work *wk, void *ar if (ip6_use_tempaddr && (ia6->ia6_flags & IN6_IFF_TEMPORARY) != 0 && (oldflags & IN6_IFF_DEPRECATED) == 0) { +int ret; -if (regen_tmpaddr(ia6) == 0) { +IFNET_LOCK(ia6->ia_ifa.ifa_ifp); +ret = regen_tmpaddr(ia6); +IFNET_UNLOCK(ia6->ia_ifa.ifa_ifp); +if (ret == 0) { /* * A new temporary address is * generated.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Mon Aug 19 14:28:13 UTC 2019 Modified Files: src/sys/netinet6 [netbsd-8]: nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1340): sys/netinet6/nd6.c: revision 1.257 Add missing IFNET_LOCK for regen_tmpaddr Reported by ryo@ To generate a diff of this commit: cvs rdiff -u -r1.232.2.11 -r1.232.2.12 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Jul 26 11:27:36 UTC 2019 Modified Files: src/sys/netinet6 [netbsd-8]: nd6.c Log Message: Pull up following revision(s) (requested by christos in ticket #1307): sys/netinet6/nd6.c: revision 1.256 Decrease the reference count before freeing, so that the entries actually get free'd. (Ryota Ozaki) To generate a diff of this commit: cvs rdiff -u -r1.232.2.10 -r1.232.2.11 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Jul 26 11:27:36 UTC 2019 Modified Files: src/sys/netinet6 [netbsd-8]: nd6.c Log Message: Pull up following revision(s) (requested by christos in ticket #1307): sys/netinet6/nd6.c: revision 1.256 Decrease the reference count before freeing, so that the entries actually get free'd. (Ryota Ozaki) To generate a diff of this commit: cvs rdiff -u -r1.232.2.10 -r1.232.2.11 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6.c diff -u src/sys/netinet6/nd6.c:1.232.2.10 src/sys/netinet6/nd6.c:1.232.2.11 --- src/sys/netinet6/nd6.c:1.232.2.10 Mon Jul 8 16:30:58 2019 +++ src/sys/netinet6/nd6.c Fri Jul 26 11:27:36 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6.c,v 1.232.2.10 2019/07/08 16:30:58 martin Exp $ */ +/* $NetBSD: nd6.c,v 1.232.2.11 2019/07/26 11:27:36 martin Exp $ */ /* $KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.10 2019/07/08 16:30:58 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.11 2019/07/26 11:27:36 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -498,6 +498,7 @@ nd6_llinfo_timer(void *arg) ln->ln_hold = m0; clear_llinfo_pqueue(ln); } + LLE_REMREF(ln); nd6_free(ln, 0); ln = NULL; if (m != NULL) { @@ -517,6 +518,7 @@ nd6_llinfo_timer(void *arg) case ND6_LLINFO_STALE: /* Garbage Collection(RFC 2461 5.3) */ if (!ND6_LLINFO_PERMANENT(ln)) { + LLE_REMREF(ln); nd6_free(ln, 1); ln = NULL; } @@ -540,6 +542,7 @@ nd6_llinfo_timer(void *arg) daddr6 = >r_l3addr.addr6; send_ns = true; } else { + LLE_REMREF(ln); nd6_free(ln, 0); ln = NULL; }
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Mon May 13 09:04:38 UTC 2019 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by roy in ticket #1262): sys/netinet6/nd6_nbr.c: revision 1.163 inet6: discard any received NA with a LL address we own This matches ARP behaviour. To generate a diff of this commit: cvs rdiff -u -r1.138.6.6 -r1.138.6.7 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_nbr.c diff -u src/sys/netinet6/nd6_nbr.c:1.138.6.6 src/sys/netinet6/nd6_nbr.c:1.138.6.7 --- src/sys/netinet6/nd6_nbr.c:1.138.6.6 Mon Apr 2 08:54:35 2018 +++ src/sys/netinet6/nd6_nbr.c Mon May 13 09:04:38 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_nbr.c,v 1.138.6.6 2018/04/02 08:54:35 martin Exp $ */ +/* $NetBSD: nd6_nbr.c,v 1.138.6.7 2019/05/13 09:04:38 martin Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.138.6.6 2018/04/02 08:54:35 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.138.6.7 2019/05/13 09:04:38 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -630,9 +630,26 @@ nd6_na_input(struct mbuf *m, int off, in goto freeit; } - if (ndopts.nd_opts_tgt_lladdr) { + if (ndopts.nd_opts_tgt_lladdr != NULL) { + struct ifnet *ifp_ll; + struct psref psref_ll; + lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1); lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3; + + if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { + nd6log(LOG_INFO, "lladdrlen mismatch for %s " + "(if %d, NA packet %d)\n", IN6_PRINT(ip6buf, ), + ifp->if_addrlen, lladdrlen - 2); + goto bad; + } + + ifp_ll = if_get_bylla(lladdr, ifp->if_addrlen, _ll); + if (ifp_ll != NULL) { + /* it's from me, ignore it. */ + if_put(ifp_ll, _ll); + goto freeit; + } } ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, , _ia); @@ -647,7 +664,8 @@ nd6_na_input(struct mbuf *m, int off, in * Otherwise, process as defined in RFC 2461. */ if (ifa - && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) { + && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) + { nd6_dad_na_input(ifa); ifa_release(ifa, _ia); ifa = NULL; @@ -674,13 +692,6 @@ nd6_na_input(struct mbuf *m, int off, in goto bad; } - if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) { - nd6log(LOG_INFO, "lladdrlen mismatch for %s " - "(if %d, NA packet %d)\n", IN6_PRINT(ip6buf, ), - ifp->if_addrlen, lladdrlen - 2); - goto bad; - } - /* * If no neighbor cache entry is found, NA SHOULD silently be * discarded.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Mon May 13 09:04:38 UTC 2019 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by roy in ticket #1262): sys/netinet6/nd6_nbr.c: revision 1.163 inet6: discard any received NA with a LL address we own This matches ARP behaviour. To generate a diff of this commit: cvs rdiff -u -r1.138.6.6 -r1.138.6.7 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Nov 6 14:44:23 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: udp6_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1081): sys/netinet6/udp6_usrreq.c: revision 1.143 (applied to udp6_output.c, due to refactoring in -current) Restore the length check of a sockaddr passed from userland at udp6_output A sockaddr with invalid length could be passed to the network stack resulting in a kernel panic like this: panic: sockaddr_copy: source too long, 28 < 128 bytes fatal breakpoint trap in supervisor mode trap type 1 code 0 rip 0x80216c35 cs 0x8 rflags 0x246 cr2 0x7f7ff7ef3000 ilevel 0x4 rsp 0x80003308b690 curlwp 0xfe803e11ca40 pid 48.1 lowest kstack 0x8000330852c0 Stopped in pid 48.1 (a.out) at netbsd:breakpoint+0x5: leave db{1}> bt breakpoint() at netbsd:breakpoint+0x5 vpanic() at netbsd:vpanic+0x140 panic() at netbsd:panic+0x3c sockaddr_copy() at netbsd:sockaddr_copy+0x95 rtcache_setdst() at netbsd:rtcache_setdst+0x73 rtcache_lookup2() at netbsd:rtcache_lookup2+0x56 in6_selectroute() at netbsd:in6_selectroute+0x184 in6_selectsrc() at netbsd:in6_selectsrc+0x119 udp6_output() at netbsd:udp6_output+0x25e udp6_send_wrapper() at netbsd:udp6_send_wrapper+0x8a sosend() at netbsd:sosend+0x7bf do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x28e do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x89 sys_sendto() at netbsd:sys_sendto+0x5c syscall() at netbsd:syscall+0x1ed --- syscall (number 133) --- 7f7ff790173a: Reported by Paul Ripke To generate a diff of this commit: cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/udp6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/udp6_output.c diff -u src/sys/netinet6/udp6_output.c:1.55.6.1 src/sys/netinet6/udp6_output.c:1.55.6.2 --- src/sys/netinet6/udp6_output.c:1.55.6.1 Sun Nov 4 11:14:09 2018 +++ src/sys/netinet6/udp6_output.c Tue Nov 6 14:44:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $ */ +/* $NetBSD: udp6_output.c,v 1.55.6.2 2018/11/06 14:44:22 martin Exp $ */ /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.2 2018/11/06 14:44:22 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -139,6 +139,10 @@ udp6_output(struct in6pcb * const in6p, if (addr6) { sin6 = addr6; + if (sin6->sin6_len != sizeof(*sin6)) { + error = EINVAL; + goto release; + } if (sin6->sin6_family != AF_INET6) { error = EAFNOSUPPORT; goto release;
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Nov 6 14:44:23 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: udp6_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1081): sys/netinet6/udp6_usrreq.c: revision 1.143 (applied to udp6_output.c, due to refactoring in -current) Restore the length check of a sockaddr passed from userland at udp6_output A sockaddr with invalid length could be passed to the network stack resulting in a kernel panic like this: panic: sockaddr_copy: source too long, 28 < 128 bytes fatal breakpoint trap in supervisor mode trap type 1 code 0 rip 0x80216c35 cs 0x8 rflags 0x246 cr2 0x7f7ff7ef3000 ilevel 0x4 rsp 0x80003308b690 curlwp 0xfe803e11ca40 pid 48.1 lowest kstack 0x8000330852c0 Stopped in pid 48.1 (a.out) at netbsd:breakpoint+0x5: leave db{1}> bt breakpoint() at netbsd:breakpoint+0x5 vpanic() at netbsd:vpanic+0x140 panic() at netbsd:panic+0x3c sockaddr_copy() at netbsd:sockaddr_copy+0x95 rtcache_setdst() at netbsd:rtcache_setdst+0x73 rtcache_lookup2() at netbsd:rtcache_lookup2+0x56 in6_selectroute() at netbsd:in6_selectroute+0x184 in6_selectsrc() at netbsd:in6_selectsrc+0x119 udp6_output() at netbsd:udp6_output+0x25e udp6_send_wrapper() at netbsd:udp6_send_wrapper+0x8a sosend() at netbsd:sosend+0x7bf do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x28e do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x89 sys_sendto() at netbsd:sys_sendto+0x5c syscall() at netbsd:syscall+0x1ed --- syscall (number 133) --- 7f7ff790173a: Reported by Paul Ripke To generate a diff of this commit: cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/udp6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Nov 4 11:14:09 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: udp6_output.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1079): sys/netinet6/udp6_usrreq.c: revision 1.142 applied to udp6_output.c (refactured in HEAD) Fix error path in ip6 source address selection. in6_selectsrc previously returned a pointer to an ipv6 address, the pointer was NULL in case of an error and is checked later instead of the also returned error code. When in6_selectsrc was changed to store the address into a buffer, the error code was still ignored, but the buffer pointer was never set to NULL. As a result send() to an ipv6 address on a system that isn't configured for ipv6 no longer returns the expected EADDRAVAIL but fails later in ip6_output with EOPNOTSUPP when trying to send from an unspecified address. The wrong error code caused BIND to log the unexpected errors. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/udp6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/udp6_output.c diff -u src/sys/netinet6/udp6_output.c:1.55 src/sys/netinet6/udp6_output.c:1.55.6.1 --- src/sys/netinet6/udp6_output.c:1.55 Fri Mar 3 07:13:06 2017 +++ src/sys/netinet6/udp6_output.c Sun Nov 4 11:14:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: udp6_output.c,v 1.55 2017/03/03 07:13:06 ozaki-r Exp $ */ +/* $NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $ */ /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55 2017/03/03 07:13:06 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -233,7 +233,10 @@ udp6_output(struct in6pcb * const in6p, in6p->in6p_moptions, >in6p_route, >in6p_laddr, , , &_laddr); - /* XXX need error check? */ + if (error) +laddr = NULL; + else +laddr = &_laddr; if (oifp && scope_ambiguous && (error = in6_setscope(>sin6_addr, oifp, NULL))) { @@ -243,7 +246,6 @@ udp6_output(struct in6pcb * const in6p, } if_put(oifp, ); curlwp_bindx(bound); - laddr = &_laddr; } else { /* * XXX: freebsd[34] does not have in_selectsrc, but
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Nov 4 11:14:09 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: udp6_output.c Log Message: Pull up following revision(s) (requested by mlelstv in ticket #1079): sys/netinet6/udp6_usrreq.c: revision 1.142 applied to udp6_output.c (refactured in HEAD) Fix error path in ip6 source address selection. in6_selectsrc previously returned a pointer to an ipv6 address, the pointer was NULL in case of an error and is checked later instead of the also returned error code. When in6_selectsrc was changed to store the address into a buffer, the error code was still ignored, but the buffer pointer was never set to NULL. As a result send() to an ipv6 address on a system that isn't configured for ipv6 no longer returns the expected EADDRAVAIL but fails later in ip6_output with EOPNOTSUPP when trying to send from an unspecified address. The wrong error code caused BIND to log the unexpected errors. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/udp6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Oct 25 18:32:54 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1071): sys/netinet6/icmp6.c: revision 1.240 Remove a leftover debug printf Pointed out by hannken@ To generate a diff of this commit: cvs rdiff -u -r1.211.6.7 -r1.211.6.8 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.211.6.7 src/sys/netinet6/icmp6.c:1.211.6.8 --- src/sys/netinet6/icmp6.c:1.211.6.7 Sat Jun 23 11:03:27 2018 +++ src/sys/netinet6/icmp6.c Thu Oct 25 18:32:54 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.211.6.7 2018/06/23 11:03:27 martin Exp $ */ +/* $NetBSD: icmp6.c,v 1.211.6.8 2018/10/25 18:32:54 martin Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.7 2018/06/23 11:03:27 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.8 2018/10/25 18:32:54 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2866,7 +2866,6 @@ icmp6_redirect_timeout(struct rtentry *r if ((rt->rt_flags & (RTF_GATEWAY | RTF_DYNAMIC | RTF_HOST)) == (RTF_GATEWAY | RTF_DYNAMIC | RTF_HOST)) { - printf("%s: RTM_DELETE\n", __func__); rtrequest(RTM_DELETE, rt_getkey(rt), rt->rt_gateway, rt_mask(rt), rt->rt_flags, ); rt_unref(rt);
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Oct 25 18:32:54 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1071): sys/netinet6/icmp6.c: revision 1.240 Remove a leftover debug printf Pointed out by hannken@ To generate a diff of this commit: cvs rdiff -u -r1.211.6.7 -r1.211.6.8 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Sep 27 15:57:07 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_var.h Log Message: Additional change needed for ticket #1041: sys/netinet6/ip6_var.h (apply patch) When reassembling IPv4/IPv6 packets, ensure each fragment has been subject to the same IPsec processing. That is to say, that all fragments are ESP, or AH, or AH+ESP, or none. Add ipsec flags to struct ip6q. To generate a diff of this commit: cvs rdiff -u -r1.74.6.2 -r1.74.6.3 src/sys/netinet6/ip6_var.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_var.h diff -u src/sys/netinet6/ip6_var.h:1.74.6.2 src/sys/netinet6/ip6_var.h:1.74.6.3 --- src/sys/netinet6/ip6_var.h:1.74.6.2 Sun Feb 11 21:17:34 2018 +++ src/sys/netinet6/ip6_var.h Thu Sep 27 15:57:07 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_var.h,v 1.74.6.2 2018/02/11 21:17:34 snj Exp $ */ +/* $NetBSD: ip6_var.h,v 1.74.6.3 2018/09/27 15:57:07 martin Exp $ */ /* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */ /* @@ -89,6 +89,7 @@ struct ip6q { u_char *ip6q_nxtp; #endif int ip6q_nfrag; /* # of fragments */ + int ip6q_ipsec; /* IPsec flags */ }; struct ip6asfrag {
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Sep 27 15:57:07 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_var.h Log Message: Additional change needed for ticket #1041: sys/netinet6/ip6_var.h (apply patch) When reassembling IPv4/IPv6 packets, ensure each fragment has been subject to the same IPsec processing. That is to say, that all fragments are ESP, or AH, or AH+ESP, or none. Add ipsec flags to struct ip6q. To generate a diff of this commit: cvs rdiff -u -r1.74.6.2 -r1.74.6.3 src/sys/netinet6/ip6_var.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Wed Aug 15 12:09:58 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #975): sys/netinet6/nd6_rtr.c: revision 1.144 Don't call find_pfxlist_reachable_router, which may sleep, in a pserialize read section Found by knakahara@ To generate a diff of this commit: cvs rdiff -u -r1.135.6.3 -r1.135.6.4 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Wed Aug 15 12:09:58 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #975): sys/netinet6/nd6_rtr.c: revision 1.144 Don't call find_pfxlist_reachable_router, which may sleep, in a pserialize read section Found by knakahara@ To generate a diff of this commit: cvs rdiff -u -r1.135.6.3 -r1.135.6.4 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_rtr.c diff -u src/sys/netinet6/nd6_rtr.c:1.135.6.3 src/sys/netinet6/nd6_rtr.c:1.135.6.4 --- src/sys/netinet6/nd6_rtr.c:1.135.6.3 Tue May 22 17:41:12 2018 +++ src/sys/netinet6/nd6_rtr.c Wed Aug 15 12:09:58 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_rtr.c,v 1.135.6.3 2018/05/22 17:41:12 martin Exp $ */ +/* $NetBSD: nd6_rtr.c,v 1.135.6.4 2018/08/15 12:09:58 martin Exp $ */ /* $KAME: nd6_rtr.c,v 1.95 2001/02/07 08:09:47 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.135.6.3 2018/05/22 17:41:12 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.135.6.4 2018/08/15 12:09:58 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -1603,6 +1603,7 @@ nd6_pfxlist_onlink_check(void) } } + int bound = curlwp_bind(); /* * Changes on the prefix status might affect address status as well. * Make sure that all addresses derived from an attached prefix are @@ -1613,6 +1614,9 @@ nd6_pfxlist_onlink_check(void) */ s = pserialize_read_enter(); IN6_ADDRLIST_READER_FOREACH(ia) { + struct psref psref; + bool found; + if (!(ia->ia6_flags & IN6_IFF_AUTOCONF)) continue; @@ -1625,14 +1629,19 @@ nd6_pfxlist_onlink_check(void) continue; } - if (find_pfxlist_reachable_router(ia->ia6_ndpr)) + ia6_acquire(ia, ); + pserialize_read_exit(s); + + found = find_pfxlist_reachable_router(ia->ia6_ndpr) != NULL; + + s = pserialize_read_enter(); + ia6_release(ia, ); + if (found) break; } pserialize_read_exit(s); if (ia) { - int bound = curlwp_bind(); - s = pserialize_read_enter(); IN6_ADDRLIST_READER_FOREACH(ia) { struct ifaddr *ifa = (struct ifaddr *)ia; @@ -1669,11 +1678,8 @@ nd6_pfxlist_onlink_check(void) ia6_release(ia, ); } pserialize_read_exit(s); - curlwp_bindx(bound); } else { - int bound = curlwp_bind(); - s = pserialize_read_enter(); IN6_ADDRLIST_READER_FOREACH(ia) { if ((ia->ia6_flags & IN6_IFF_AUTOCONF) == 0) @@ -1697,8 +1703,9 @@ nd6_pfxlist_onlink_check(void) } } pserialize_read_exit(s); - curlwp_bindx(bound); } + + curlwp_bindx(bound); } static int
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sat Jun 23 11:03:27 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #893): sys/netinet6/icmp6.c: revision 1.228,1.230 Remove the RH0 code from ICMPv6. RH0 is deprecated by RFC5095 (2007) for security reasons. We already removed it in Route6. In addition there was an mbuf bug here: calling IP6_EXTHDR_GET twice with the same offset, but still using the pointer from the first call, which could have been made invalid. By luck, m_pulldown leaves zero-sized mbufs in place, instead of freeing them. And in general, using a 'finaldst' pointer on the mbuf, and then modifying that mbuf with IP6_EXTHDR_GET with a smaller offset, was really error- prone. Fix 'icmp6len', it shouldn't be ip6_plen, because we may not be at the beginning of the packet (off+ip6_plen is beyond the end of the mbuf). By luck, the IP6_EXTHDR_GET that follows will fail and prevent buffer overflows in non-jumbogram packets. For jumbograms we will probably be in trouble here; but it doesn't seem possible to craft reliably a jumbogram for a non-jumbogram-enabled device. So I don't think it's a huge problem. To generate a diff of this commit: cvs rdiff -u -r1.211.6.6 -r1.211.6.7 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.211.6.6 src/sys/netinet6/icmp6.c:1.211.6.7 --- src/sys/netinet6/icmp6.c:1.211.6.6 Fri Jun 8 10:14:33 2018 +++ src/sys/netinet6/icmp6.c Sat Jun 23 11:03:27 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.211.6.6 2018/06/08 10:14:33 martin Exp $ */ +/* $NetBSD: icmp6.c,v 1.211.6.7 2018/06/23 11:03:27 martin Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.6 2018/06/08 10:14:33 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.7 2018/06/23 11:03:27 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -969,8 +969,6 @@ icmp6_notify_error(struct mbuf *m, int o int icmp6type = icmp6->icmp6_type; struct ip6_frag *fh; struct ip6_rthdr *rth; - struct ip6_rthdr0 *rth0; - int rthlen; struct ifnet *rcvif; int s; @@ -995,46 +993,15 @@ icmp6_notify_error(struct mbuf *m, int o nxt = eh->ip6e_nxt; break; case IPPROTO_ROUTING: -/* - * When the erroneous packet contains a - * routing header, we should examine the - * header to determine the final destination. - * Otherwise, we can't properly update - * information that depends on the final - * destination (e.g. path MTU). - */ +/* Ignore the option. */ IP6_EXTHDR_GET(rth, struct ip6_rthdr *, m, eoff, sizeof(*rth)); if (rth == NULL) { ICMP6_STATINC(ICMP6_STAT_TOOSHORT); return (-1); } -rthlen = (rth->ip6r_len + 1) << 3; -/* - * XXX: currently there is no - * officially defined type other - * than type-0. - * Note that if the segment left field - * is 0, all intermediate hops must - * have been passed. - */ -if (rth->ip6r_segleft && -rth->ip6r_type == IPV6_RTHDR_TYPE_0) { - int hops; - - IP6_EXTHDR_GET(rth0, - struct ip6_rthdr0 *, m, - eoff, rthlen); - if (rth0 == NULL) { - ICMP6_STATINC(ICMP6_STAT_TOOSHORT); - return (-1); - } - /* just ignore a bogus header */ - if ((rth0->ip6r0_len % 2) == 0 && - (hops = rth0->ip6r0_len/2)) - finaldst = (struct in6_addr *)(rth0 + 1) + (hops - 1); -} -eoff += rthlen; + +eoff += (rth->ip6r_len + 1) << 3; nxt = rth->ip6r_nxt; break; case IPPROTO_FRAGMENT: @@ -2268,7 +2235,7 @@ icmp6_redirect_input(struct mbuf *m, int struct ifnet *ifp; struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); struct nd_redirect *nd_rd; - int icmp6len = ntohs(ip6->ip6_plen); + int icmp6len = m->m_pkthdr.len - off; char *lladdr = NULL; int lladdrlen = 0; struct rtentry *rt = NULL;
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sat Jun 23 11:03:27 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #893): sys/netinet6/icmp6.c: revision 1.228,1.230 Remove the RH0 code from ICMPv6. RH0 is deprecated by RFC5095 (2007) for security reasons. We already removed it in Route6. In addition there was an mbuf bug here: calling IP6_EXTHDR_GET twice with the same offset, but still using the pointer from the first call, which could have been made invalid. By luck, m_pulldown leaves zero-sized mbufs in place, instead of freeing them. And in general, using a 'finaldst' pointer on the mbuf, and then modifying that mbuf with IP6_EXTHDR_GET with a smaller offset, was really error- prone. Fix 'icmp6len', it shouldn't be ip6_plen, because we may not be at the beginning of the packet (off+ip6_plen is beyond the end of the mbuf). By luck, the IP6_EXTHDR_GET that follows will fail and prevent buffer overflows in non-jumbogram packets. For jumbograms we will probably be in trouble here; but it doesn't seem possible to craft reliably a jumbogram for a non-jumbogram-enabled device. So I don't think it's a huge problem. To generate a diff of this commit: cvs rdiff -u -r1.211.6.6 -r1.211.6.7 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Jun 7 17:48:31 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: in6.c in6_var.h mld6.c nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #842): sys/netinet6/mld6.c: revision 1.93-1.99 sys/netinet6/in6_var.h: revision 1.99,1.100 sys/netinet6/in6.c: revision 1.267,1.268 sys/netinet6/nd6.c: revision 1.249 Don't hold softnet_lock in mld_timeo Then we can get rid of remaining abuses of mutex_owned(softnet_lock). Release in6_multilock on callout_halt of mld_timeo to avoid a deadlock Improve atomicity of in6_leavegroup and in6_delmulti Avoid NULL pointer dereference on imm->i6mm_maddr Make a refcount decrement and a removal from a list of an item atomic in6m_refcount of an in6m can be incremented if the in6m is on the list (if_multiaddrs) in in6_addmulti or mld_input. So we must avoid such an increment when we try to destroy an in6m. To this end we must make an in6m_refcount decrement and a removal of an in6m from if_multiaddrs atomic. Make a deletion of in6m in nd6_rtrequest atomic Move LIST_REMOVE mld_stoptimer releases in6_multilock temporarily, so we must LIST_REMOVE first. Avoid double LIST_REMOVE which corrupts lists Mark in6m as used for non-DIAGNOSTIC builds. To generate a diff of this commit: cvs rdiff -u -r1.245.2.10 -r1.245.2.11 src/sys/netinet6/in6.c cvs rdiff -u -r1.97 -r1.97.6.1 src/sys/netinet6/in6_var.h cvs rdiff -u -r1.89.2.1 -r1.89.2.2 src/sys/netinet6/mld6.c cvs rdiff -u -r1.232.2.7 -r1.232.2.8 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6.c diff -u src/sys/netinet6/in6.c:1.245.2.10 src/sys/netinet6/in6.c:1.245.2.11 --- src/sys/netinet6/in6.c:1.245.2.10 Sun Apr 8 06:09:12 2018 +++ src/sys/netinet6/in6.c Thu Jun 7 17:48:31 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: in6.c,v 1.245.2.10 2018/04/08 06:09:12 snj Exp $ */ +/* $NetBSD: in6.c,v 1.245.2.11 2018/06/07 17:48:31 martin Exp $ */ /* $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.245.2.10 2018/04/08 06:09:12 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.245.2.11 2018/06/07 17:48:31 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -1407,9 +1407,11 @@ in6_purgeaddr(struct ifaddr *ifa) again: mutex_enter(_ifaddr_lock); while ((imm = LIST_FIRST(>ia6_memberships)) != NULL) { + struct in6_multi *in6m __diagused = imm->i6mm_maddr; + KASSERT(in6m == NULL || in6m->in6m_ifp == ifp); LIST_REMOVE(imm, i6mm_chain); mutex_exit(_ifaddr_lock); - KASSERT(imm->i6mm_maddr->in6m_ifp == ifp); + in6_leavegroup(imm); goto again; } Index: src/sys/netinet6/in6_var.h diff -u src/sys/netinet6/in6_var.h:1.97 src/sys/netinet6/in6_var.h:1.97.6.1 --- src/sys/netinet6/in6_var.h:1.97 Thu Mar 2 09:48:20 2017 +++ src/sys/netinet6/in6_var.h Thu Jun 7 17:48:31 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_var.h,v 1.97 2017/03/02 09:48:20 ozaki-r Exp $ */ +/* $NetBSD: in6_var.h,v 1.97.6.1 2018/06/07 17:48:31 martin Exp $ */ /* $KAME: in6_var.h,v 1.81 2002/06/08 11:16:51 itojun Exp $ */ /* @@ -691,6 +691,9 @@ void in6_purge_multi(struct ifnet *); struct in6_multi *in6_addmulti(struct in6_addr *, struct ifnet *, int *, int); void in6_delmulti(struct in6_multi *); +void in6_delmulti_locked(struct in6_multi *); +void in6_lookup_and_delete_multi(const struct in6_addr *, + const struct ifnet *); struct in6_multi_mship *in6_joingroup(struct ifnet *, struct in6_addr *, int *, int); int in6_leavegroup(struct in6_multi_mship *); Index: src/sys/netinet6/mld6.c diff -u src/sys/netinet6/mld6.c:1.89.2.1 src/sys/netinet6/mld6.c:1.89.2.2 --- src/sys/netinet6/mld6.c:1.89.2.1 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet6/mld6.c Thu Jun 7 17:48:31 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: mld6.c,v 1.89.2.1 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: mld6.c,v 1.89.2.2 2018/06/07 17:48:31 martin Exp $ */ /* $KAME: mld6.c,v 1.25 2001/01/16 14:14:18 itojun Exp $ */ /* @@ -102,7 +102,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: mld6.c,v 1.89.2.1 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: mld6.c,v 1.89.2.2 2018/06/07 17:48:31 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -225,10 +225,7 @@ mld_stoptimer(struct in6_multi *in6m) rw_exit(_multilock); - if (mutex_owned(softnet_lock)) - callout_halt(>in6m_timer_ch, softnet_lock); - else - callout_halt(>in6m_timer_ch, NULL); + callout_halt(>in6m_timer_ch, NULL); rw_enter(_multilock, RW_WRITER); @@ -242,7 +239,7 @@ mld_timeo(void *arg) KASSERT(in6m->in6m_refcount > 0); - SOFTNET_KERNEL_LOCK_UNLESS_NET_MPSAFE(); + KERNEL_LOCK_UNLESS_NET_MPSAFE(); rw_enter(_multilock, RW_WRITER); if (in6m->in6m_timer == IN6M_TIMER_UNDEF) goto out; @@ -260,7 +257,7 @@ mld_timeo(void *arg)
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Jun 7 17:48:31 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: in6.c in6_var.h mld6.c nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #842): sys/netinet6/mld6.c: revision 1.93-1.99 sys/netinet6/in6_var.h: revision 1.99,1.100 sys/netinet6/in6.c: revision 1.267,1.268 sys/netinet6/nd6.c: revision 1.249 Don't hold softnet_lock in mld_timeo Then we can get rid of remaining abuses of mutex_owned(softnet_lock). Release in6_multilock on callout_halt of mld_timeo to avoid a deadlock Improve atomicity of in6_leavegroup and in6_delmulti Avoid NULL pointer dereference on imm->i6mm_maddr Make a refcount decrement and a removal from a list of an item atomic in6m_refcount of an in6m can be incremented if the in6m is on the list (if_multiaddrs) in in6_addmulti or mld_input. So we must avoid such an increment when we try to destroy an in6m. To this end we must make an in6m_refcount decrement and a removal of an in6m from if_multiaddrs atomic. Make a deletion of in6m in nd6_rtrequest atomic Move LIST_REMOVE mld_stoptimer releases in6_multilock temporarily, so we must LIST_REMOVE first. Avoid double LIST_REMOVE which corrupts lists Mark in6m as used for non-DIAGNOSTIC builds. To generate a diff of this commit: cvs rdiff -u -r1.245.2.10 -r1.245.2.11 src/sys/netinet6/in6.c cvs rdiff -u -r1.97 -r1.97.6.1 src/sys/netinet6/in6_var.h cvs rdiff -u -r1.89.2.1 -r1.89.2.2 src/sys/netinet6/mld6.c cvs rdiff -u -r1.232.2.7 -r1.232.2.8 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue May 22 17:41:12 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #830): sys/netinet6/nd6_rtr.c: revision 1.142 Add missing m_put_rcvif_psref. To generate a diff of this commit: cvs rdiff -u -r1.135.6.2 -r1.135.6.3 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_rtr.c diff -u src/sys/netinet6/nd6_rtr.c:1.135.6.2 src/sys/netinet6/nd6_rtr.c:1.135.6.3 --- src/sys/netinet6/nd6_rtr.c:1.135.6.2 Mon Feb 5 14:55:15 2018 +++ src/sys/netinet6/nd6_rtr.c Tue May 22 17:41:12 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_rtr.c,v 1.135.6.2 2018/02/05 14:55:15 martin Exp $ */ +/* $NetBSD: nd6_rtr.c,v 1.135.6.3 2018/05/22 17:41:12 martin Exp $ */ /* $KAME: nd6_rtr.c,v 1.95 2001/02/07 08:09:47 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.135.6.2 2018/02/05 14:55:15 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.135.6.3 2018/05/22 17:41:12 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -179,6 +179,7 @@ nd6_rs_input(struct mbuf *m, int off, in IP6_EXTHDR_GET(nd_rs, struct nd_router_solicit *, m, off, icmp6len); if (nd_rs == NULL) { ICMP6_STATINC(ICMP6_STAT_TOOSHORT); + m_put_rcvif_psref(ifp, ); return; }
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue May 22 17:41:12 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #830): sys/netinet6/nd6_rtr.c: revision 1.142 Add missing m_put_rcvif_psref. To generate a diff of this commit: cvs rdiff -u -r1.135.6.2 -r1.135.6.3 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sat Mar 31 10:27:40 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #665): sys/netinet6/icmp6.c: revision 1.215 Style, and four fixes: * Remove the (disabled) IPPROTO_ESP check. If the packet was decrypted it will have M_DECRYPTED, and this is already checked. * Memory leaks in icmp6_error2. They seem hardly triggerable. * Fix miscomputation in _icmp6_input, the ICMP6 header is not guaranteed to be located right after the IP6 header. ok mlelstv@ * Memory leak in _icmp6_input. This one seems to be impossible to trigger. To generate a diff of this commit: cvs rdiff -u -r1.211.6.3 -r1.211.6.4 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.211.6.3 src/sys/netinet6/icmp6.c:1.211.6.4 --- src/sys/netinet6/icmp6.c:1.211.6.3 Wed Nov 8 22:24:55 2017 +++ src/sys/netinet6/icmp6.c Sat Mar 31 10:27:40 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.211.6.3 2017/11/08 22:24:55 snj Exp $ */ +/* $NetBSD: icmp6.c,v 1.211.6.4 2018/03/31 10:27:40 martin Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.3 2017/11/08 22:24:55 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.4 2018/03/31 10:27:40 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -292,8 +292,7 @@ icmp6_error2(struct mbuf *m, int type, i { struct ip6_hdr *ip6; - if (ifp == NULL) - return; + KASSERT(ifp != NULL); if (m->m_len < sizeof(struct ip6_hdr)) { m = m_pullup(m, sizeof(struct ip6_hdr)); @@ -304,11 +303,15 @@ icmp6_error2(struct mbuf *m, int type, i ip6 = mtod(m, struct ip6_hdr *); if (in6_setscope(>ip6_src, ifp, NULL) != 0) - return; + goto out; if (in6_setscope(>ip6_dst, ifp, NULL) != 0) - return; + goto out; icmp6_error(m, type, code, param); + return; + +out: + m_freem(m); } /* @@ -344,7 +347,7 @@ icmp6_error(struct mbuf *m, int type, in * we should basically suppress sending an error (RFC 2463, Section * 2.4). * We have two exceptions (the item e.2 in that section): - * - the Pakcet Too Big message can be sent for path MTU discovery. + * - the Packet Too Big message can be sent for path MTU discovery. * - the Parameter Problem Message that can be allowed an icmp6 error * in the option type field. This check has been done in * ip6_unknown_opt(), so we can just check the type and code. @@ -391,18 +394,7 @@ icmp6_error(struct mbuf *m, int type, in } else { /* ICMPv6 informational - send the error */ } - } -#if 0 /* controversial */ - else if (off >= 0 && nxt == IPPROTO_ESP) { - /* - * It could be ICMPv6 error inside ESP. Take a safer side, - * don't respond. - */ - ICMP6_STATINC(ICMP6_STAT_CANTERROR); - goto freeit; - } -#endif - else { + } else { /* non-ICMPv6 - send the error */ } @@ -452,11 +444,13 @@ icmp6_error(struct mbuf *m, int type, in m_reset_rcvif(m); ICMP6_STATINC(ICMP6_STAT_OUTHIST + type); - icmp6_reflect(m, sizeof(struct ip6_hdr)); /* header order: IPv6 - ICMPv6 */ + + /* header order: IPv6 - ICMPv6 */ + icmp6_reflect(m, sizeof(struct ip6_hdr)); return; - freeit: +freeit: /* * If we can't tell whether or not we can generate ICMP6, free it. */ @@ -473,7 +467,7 @@ _icmp6_input(struct mbuf *m, int off, in struct ip6_hdr *ip6, *nip6; struct icmp6_hdr *icmp6, *nicmp6; int icmp6len = m->m_pkthdr.len - off; - int code, sum, noff; + int code, sum; struct ifnet *rcvif; struct psref psref; char ip6buf[INET6_ADDRSTRLEN], ip6buf2[INET6_ADDRSTRLEN]; @@ -513,6 +507,7 @@ _icmp6_input(struct mbuf *m, int off, in icmp6_ifstat_inc(rcvif, ifs6_in_error); goto freeit; } + /* * Enforce alignment requirements that are violated in * some cases, see kern/50766 for details. @@ -525,7 +520,7 @@ _icmp6_input(struct mbuf *m, int off, in goto freeit; } ip6 = mtod(m, struct ip6_hdr *); - icmp6 = (struct icmp6_hdr *)(ip6 + 1); + icmp6 = (struct icmp6_hdr *)(mtod(m, char *) + off); } KASSERT(IP6_HDR_ALIGNED_P(icmp6)); @@ -739,8 +734,6 @@ _icmp6_input(struct mbuf *m, int off, in n = m_copym(m, 0, M_COPYALL, M_DONTWAIT); if (n) n = ni6_input(n, off); - /* XXX meaningless if n == NULL */ - noff = sizeof(struct ip6_hdr); } else { u_char *p; int maxhlen; @@ -765,34 +758,36 @@ _icmp6_input(struct mbuf *m, int off, in m_reset_rcvif(n); n->m_len = 0; maxhlen = M_TRAILINGSPACE(n) - ICMP6_MAXLEN; - if (maxhlen < 0) + if (maxhlen < 0) { +m_free(n); break; + } if (maxhlen > hostnamelen) maxhlen = hostnamelen; /* * Copy IPv6 and ICMPv6 only. */ nip6 = mtod(n, struct ip6_hdr *);
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Sat Mar 31 10:27:40 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #665): sys/netinet6/icmp6.c: revision 1.215 Style, and four fixes: * Remove the (disabled) IPPROTO_ESP check. If the packet was decrypted it will have M_DECRYPTED, and this is already checked. * Memory leaks in icmp6_error2. They seem hardly triggerable. * Fix miscomputation in _icmp6_input, the ICMP6 header is not guaranteed to be located right after the IP6 header. ok mlelstv@ * Memory leak in _icmp6_input. This one seems to be impossible to trigger. To generate a diff of this commit: cvs rdiff -u -r1.211.6.3 -r1.211.6.4 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 12:01:31 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: in6_proto.c Log Message: Pull up following revision(s) (requested by maxv in ticket #672): sys/netinet6/in6_proto.c: revision 1.120 Change ip6_hdrnestlimit to be 15 instead of 50. I couldn't find any reference in RFCs about what a correct limit should be, but FreeBSD already uses 15. If an IPv6 packet has 50 options, there is clearly something wrong with it. To generate a diff of this commit: cvs rdiff -u -r1.117.4.2 -r1.117.4.3 src/sys/netinet6/in6_proto.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 12:01:31 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: in6_proto.c Log Message: Pull up following revision(s) (requested by maxv in ticket #672): sys/netinet6/in6_proto.c: revision 1.120 Change ip6_hdrnestlimit to be 15 instead of 50. I couldn't find any reference in RFCs about what a correct limit should be, but FreeBSD already uses 15. If an IPv6 packet has 50 options, there is clearly something wrong with it. To generate a diff of this commit: cvs rdiff -u -r1.117.4.2 -r1.117.4.3 src/sys/netinet6/in6_proto.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6_proto.c diff -u src/sys/netinet6/in6_proto.c:1.117.4.2 src/sys/netinet6/in6_proto.c:1.117.4.3 --- src/sys/netinet6/in6_proto.c:1.117.4.2 Tue Oct 24 08:55:55 2017 +++ src/sys/netinet6/in6_proto.c Fri Mar 30 12:01:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_proto.c,v 1.117.4.2 2017/10/24 08:55:55 snj Exp $ */ +/* $NetBSD: in6_proto.c,v 1.117.4.3 2018/03/30 12:01:30 martin Exp $ */ /* $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.117.4.2 2017/10/24 08:55:55 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.117.4.3 2018/03/30 12:01:30 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -569,7 +569,7 @@ int ip6_accept_rtadv = 0; /* "IPV6FORWAR int ip6_maxfragpackets = 200; int ip6_maxfrags = 200; int ip6_log_interval = 5; -int ip6_hdrnestlimit = 50; /* appropriate? */ +int ip6_hdrnestlimit = 15; /* appropriate? */ int ip6_dad_count = 1; /* DupAddrDetectionTransmits */ int ip6_auto_flowlabel = 1; int ip6_use_deprecated = 1; /* allow deprecated addr (RFC2462 5.5.4) */
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 11:57:13 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_forward.c Log Message: Pull up following revision(s) (requested by maxv in ticket #671): sys/netinet6/ip6_forward.c: revision 1.91 Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed, and a 'goto out' is missing after ipsec6_process_packet. To generate a diff of this commit: cvs rdiff -u -r1.87.2.2 -r1.87.2.3 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.87.2.2 src/sys/netinet6/ip6_forward.c:1.87.2.3 --- src/sys/netinet6/ip6_forward.c:1.87.2.2 Tue Jan 9 19:30:45 2018 +++ src/sys/netinet6/ip6_forward.c Fri Mar 30 11:57:13 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.87.2.2 2018/01/09 19:30:45 snj Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.87.2.3 2018/03/30 11:57:13 martin Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.87.2.2 2018/01/09 19:30:45 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.87.2.3 2018/03/30 11:57:13 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -197,6 +197,7 @@ ip6_forward(struct mbuf *m, int srcrt) */ if (error == -EINVAL) error = 0; + m_freem(m); goto freecopy; } } @@ -268,8 +269,10 @@ ip6_forward(struct mbuf *m, int srcrt) int s = splsoftnet(); error = ipsec6_process_packet(m, sp->req); splx(s); + /* m is freed */ if (mcopy) goto freecopy; + goto out; } #endif
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 11:57:13 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_forward.c Log Message: Pull up following revision(s) (requested by maxv in ticket #671): sys/netinet6/ip6_forward.c: revision 1.91 Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed, and a 'goto out' is missing after ipsec6_process_packet. To generate a diff of this commit: cvs rdiff -u -r1.87.2.2 -r1.87.2.3 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 11:43:00 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #666): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.157.2.2 -r1.157.2.3 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.157.2.2 src/sys/netinet6/raw_ip6.c:1.157.2.3 --- src/sys/netinet6/raw_ip6.c:1.157.2.2 Tue Jan 30 18:21:09 2018 +++ src/sys/netinet6/raw_ip6.c Fri Mar 30 11:42:59 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.157.2.2 2018/01/30 18:21:09 martin Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.157.2.3 2018/03/30 11:42:59 martin Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.2 2018/01/30 18:21:09 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.3 2018/03/30 11:42:59 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_ipsec.h" @@ -481,6 +481,7 @@ rip6_output(struct mbuf *m, struct socke if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 || in6p->in6p_cksum != -1) { + const uint8_t nxt = ip6->ip6_nxt; int off; u_int16_t sum; @@ -502,7 +503,7 @@ rip6_output(struct mbuf *m, struct socke error = ENOBUFS; goto bad; } - sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen); + sum = in6_cksum(m, nxt, sizeof(*ip6), plen); m = m_copyback_cow(m, off, sizeof(sum), (void *), M_DONTWAIT); if (m == NULL) {
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 11:43:00 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #666): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.157.2.2 -r1.157.2.3 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 11:23:20 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: dest6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #664): sys/netinet6/dest6.c: revision 1.21 Fix the calculation of the ICMP6 error pointer. It is not correct to use pointer = opt - mtod(m, u_int8_t *) because m may have gone through m_pulldown, and it is possible that m->m_data is no longer the beginning of the packet. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.8.1 src/sys/netinet6/dest6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/dest6.c diff -u src/sys/netinet6/dest6.c:1.20 src/sys/netinet6/dest6.c:1.20.8.1 --- src/sys/netinet6/dest6.c:1.20 Wed Jan 11 13:08:29 2017 +++ src/sys/netinet6/dest6.c Fri Mar 30 11:23:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: dest6.c,v 1.20 2017/01/11 13:08:29 ozaki-r Exp $ */ +/* $NetBSD: dest6.c,v 1.20.8.1 2018/03/30 11:23:20 martin Exp $ */ /* $KAME: dest6.c,v 1.25 2001/02/22 01:39:16 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: dest6.c,v 1.20 2017/01/11 13:08:29 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: dest6.c,v 1.20.8.1 2018/03/30 11:23:20 martin Exp $"); #include #include @@ -56,7 +56,7 @@ int dest6_input(struct mbuf **mp, int *offp, int proto) { struct mbuf *m = *mp; - int off = *offp, dstoptlen, optlen; + int off = *offp, erroff, dstoptlen, optlen; struct ip6_dest *dstopts; u_int8_t *opt; @@ -89,8 +89,8 @@ dest6_input(struct mbuf **mp, int *offp, optlen = *(opt + 1) + 2; break; default: /* unknown option */ - optlen = ip6_unknown_opt(opt, m, - opt - mtod(m, u_int8_t *)); + erroff = *offp + (opt - (u_int8_t *)dstopts); + optlen = ip6_unknown_opt(opt, m, erroff); if (optlen == -1) return (IPPROTO_DONE); optlen += 2; @@ -99,9 +99,9 @@ dest6_input(struct mbuf **mp, int *offp, } *offp = off; - return (dstopts->ip6d_nxt); + return dstopts->ip6d_nxt; - bad: +bad: m_freem(m); - return (IPPROTO_DONE); + return IPPROTO_DONE; }
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 11:23:20 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: dest6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #664): sys/netinet6/dest6.c: revision 1.21 Fix the calculation of the ICMP6 error pointer. It is not correct to use pointer = opt - mtod(m, u_int8_t *) because m may have gone through m_pulldown, and it is possible that m->m_data is no longer the beginning of the packet. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.20.8.1 src/sys/netinet6/dest6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 11:19:45 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #663): sys/netinet6/frag6.c: revision 1.64 Kick zero-sized fragments. We can't allow them to enter; two fragments could be put at the same offset. To generate a diff of this commit: cvs rdiff -u -r1.60.6.2 -r1.60.6.3 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.60.6.2 src/sys/netinet6/frag6.c:1.60.6.3 --- src/sys/netinet6/frag6.c:1.60.6.2 Tue Jan 30 18:21:09 2018 +++ src/sys/netinet6/frag6.c Fri Mar 30 11:19:45 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.60.6.2 2018/01/30 18:21:09 martin Exp $ */ +/* $NetBSD: frag6.c,v 1.60.6.3 2018/03/30 11:19:45 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.2 2018/01/30 18:21:09 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.3 2018/03/30 11:19:45 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -152,13 +152,14 @@ frag6_input(struct mbuf **mp, int *offp, } /* - * check whether fragment packet's fragment length is + * Check whether fragment packet's fragment length is non-zero and * multiple of 8 octets. * sizeof(struct ip6_frag) == 8 * sizeof(struct ip6_hdr) = 40 */ if ((ip6f->ip6f_offlg & IP6F_MORE_FRAG) && - (((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) { + (((ntohs(ip6->ip6_plen) - offset) == 0) || + ((ntohs(ip6->ip6_plen) - offset) & 0x7) != 0)) { icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offsetof(struct ip6_hdr, ip6_plen)); in6_ifstat_inc(dstifp, ifs6_reass_fail);
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Mar 30 11:19:45 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #663): sys/netinet6/frag6.c: revision 1.64 Kick zero-sized fragments. We can't allow them to enter; two fragments could be put at the same offset. To generate a diff of this commit: cvs rdiff -u -r1.60.6.2 -r1.60.6.3 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: bouyer Date: Tue Mar 20 09:13:15 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #645): sys/netinet6/nd6_nbr.c: revision 1.153 Pull out a sleepable function (in6_selectsrc) from a pserialize read section To generate a diff of this commit: cvs rdiff -u -r1.138.6.4 -r1.138.6.5 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_nbr.c diff -u src/sys/netinet6/nd6_nbr.c:1.138.6.4 src/sys/netinet6/nd6_nbr.c:1.138.6.5 --- src/sys/netinet6/nd6_nbr.c:1.138.6.4 Mon Feb 26 13:36:01 2018 +++ src/sys/netinet6/nd6_nbr.c Tue Mar 20 09:13:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_nbr.c,v 1.138.6.4 2018/02/26 13:36:01 martin Exp $ */ +/* $NetBSD: nd6_nbr.c,v 1.138.6.5 2018/03/20 09:13:15 bouyer Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.138.6.4 2018/02/26 13:36:01 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.138.6.5 2018/03/20 09:13:15 bouyer Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -459,12 +459,15 @@ nd6_ns_output(struct ifnet *ifp, const s * Otherwise, we perform the source address selection as usual. */ s = pserialize_read_enter(); - if (hsrc && in6ifa_ifpwithaddr(ifp, hsrc)) + if (hsrc && in6ifa_ifpwithaddr(ifp, hsrc)) { + pserialize_read_exit(s); src = hsrc; - else { + } else { int error; struct sockaddr_in6 dst_sa; + pserialize_read_exit(s); + sockaddr_in6_init(_sa, >ip6_dst, 0, 0, 0); error = in6_selectsrc(_sa, NULL, @@ -480,7 +483,6 @@ nd6_ns_output(struct ifnet *ifp, const s } src = _in; } - pserialize_read_exit(s); } else { /* * Source address for DAD packet must always be IPv6
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: bouyer Date: Tue Mar 20 09:13:15 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #645): sys/netinet6/nd6_nbr.c: revision 1.153 Pull out a sleepable function (in6_selectsrc) from a pserialize read section To generate a diff of this commit: cvs rdiff -u -r1.138.6.4 -r1.138.6.5 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: bouyer Date: Thu Mar 15 11:27:25 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: in6_gif.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #632): sys/netinet6/in6_gif.c: revision 1.91 Fix error checking in in6_gif_ctlinput(). if_gif.c:r1.133 introduces gif_update_variant() which ensure ifp->if_flags is set IFF_RUNNING when gif_softc->gif_var->gv_{psrc,pdst} are not null. So, in6_gif_ctlinput() is not required IFF_RUNNING checking. In contrast, it is required gv_{psrc,pdst} NULL checking. To generate a diff of this commit: cvs rdiff -u -r1.85.6.4 -r1.85.6.5 src/sys/netinet6/in6_gif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: bouyer Date: Thu Mar 15 11:27:25 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: in6_gif.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #632): sys/netinet6/in6_gif.c: revision 1.91 Fix error checking in in6_gif_ctlinput(). if_gif.c:r1.133 introduces gif_update_variant() which ensure ifp->if_flags is set IFF_RUNNING when gif_softc->gif_var->gv_{psrc,pdst} are not null. So, in6_gif_ctlinput() is not required IFF_RUNNING checking. In contrast, it is required gv_{psrc,pdst} NULL checking. To generate a diff of this commit: cvs rdiff -u -r1.85.6.4 -r1.85.6.5 src/sys/netinet6/in6_gif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6_gif.c diff -u src/sys/netinet6/in6_gif.c:1.85.6.4 src/sys/netinet6/in6_gif.c:1.85.6.5 --- src/sys/netinet6/in6_gif.c:1.85.6.4 Sun Feb 11 21:17:34 2018 +++ src/sys/netinet6/in6_gif.c Thu Mar 15 11:27:25 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_gif.c,v 1.85.6.4 2018/02/11 21:17:34 snj Exp $ */ +/* $NetBSD: in6_gif.c,v 1.85.6.5 2018/03/15 11:27:25 bouyer Exp $ */ /* $KAME: in6_gif.c,v 1.62 2001/07/29 04:27:25 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6_gif.c,v 1.85.6.4 2018/02/11 21:17:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6_gif.c,v 1.85.6.5 2018/03/15 11:27:25 bouyer Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -459,9 +459,11 @@ in6_gif_ctlinput(int cmd, const struct s if (!ip6) return NULL; - if ((sc->gif_if.if_flags & IFF_RUNNING) == 0) - return NULL; var = gif_getref_variant(sc, ); + if (var->gv_psrc == NULL || var->gv_pdst == NULL) { + gif_putref_variant(var, ); + return NULL; + } if (var->gv_psrc->sa_family != AF_INET6) { gif_putref_variant(var, ); return NULL;
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Mon Feb 26 00:29:27 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: route6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #569): sys/netinet6/route6.c: 1.24-1.25 Fix the ICMP error code. rh was obtained via IP6_EXTHDR_GET, and it is not guaranteed to be in the same mbuf as ip6, so computing the difference between the pointers may result in a wrong offset. ip6 is now unused, so remove it. -- Remove this code, RH0 must be dropped, according to RFC5095. FreeBSD and OpenBSD already do the same. Also, style, and remove useless includes. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.84.1 src/sys/netinet6/route6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Mon Feb 26 00:29:27 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: route6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #569): sys/netinet6/route6.c: 1.24-1.25 Fix the ICMP error code. rh was obtained via IP6_EXTHDR_GET, and it is not guaranteed to be in the same mbuf as ip6, so computing the difference between the pointers may result in a wrong offset. ip6 is now unused, so remove it. -- Remove this code, RH0 must be dropped, according to RFC5095. FreeBSD and OpenBSD already do the same. Also, style, and remove useless includes. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.23.84.1 src/sys/netinet6/route6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/route6.c diff -u src/sys/netinet6/route6.c:1.23 src/sys/netinet6/route6.c:1.23.84.1 --- src/sys/netinet6/route6.c:1.23 Tue Apr 15 03:57:04 2008 +++ src/sys/netinet6/route6.c Mon Feb 26 00:29:27 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: route6.c,v 1.23 2008/04/15 03:57:04 thorpej Exp $ */ +/* $NetBSD: route6.c,v 1.23.84.1 2018/02/26 00:29:27 snj Exp $ */ /* $KAME: route6.c,v 1.22 2000/12/03 00:54:00 itojun Exp $ */ /* @@ -31,13 +31,11 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: route6.c,v 1.23 2008/04/15 03:57:04 thorpej Exp $"); +__KERNEL_RCSID(0, "$NetBSD: route6.c,v 1.23.84.1 2018/02/26 00:29:27 snj Exp $"); #include #include -#include #include -#include #include @@ -46,23 +44,16 @@ __KERNEL_RCSID(0, "$NetBSD: route6.c,v 1 #include #include #include -#include #include -#if 0 -static int ip6_rthdr0(struct mbuf *, struct ip6_hdr *, struct ip6_rthdr0 *); -#endif - int route6_input(struct mbuf **mp, int *offp, int proto) { - struct ip6_hdr *ip6; struct mbuf *m = *mp; struct ip6_rthdr *rh; int off = *offp, rhlen; - ip6 = mtod(m, struct ip6_hdr *); IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, sizeof(*rh)); if (rh == NULL) { IP6_STATINC(IP6_STAT_TOOSHORT); @@ -70,41 +61,10 @@ route6_input(struct mbuf **mp, int *offp } switch (rh->ip6r_type) { -#if 0 - /* - * See http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf - * for why IPV6_RTHDR_TYPE_0 is banned here. - * - * We return ICMPv6 parameter problem so that innocent people - * (not an attacker) would notice about the use of IPV6_RTHDR_TYPE_0. - * Since there's no amplification, and ICMPv6 error will be rate- - * controlled, it shouldn't cause any problem. - * If you are concerned about this, you may want to use the following - * code fragment: - * - * case IPV6_RTHDR_TYPE_0: - * m_freem(m); - * return (IPPROTO_DONE); - */ case IPV6_RTHDR_TYPE_0: - rhlen = (rh->ip6r_len + 1) << 3; /* - * note on option length: - * maximum rhlen: 2048 - * max mbuf m_pulldown can handle: MCLBYTES == usually 2048 - * so, here we are assuming that m_pulldown can handle - * rhlen == 2048 case. this may not be a good thing to - * assume - we may want to avoid pulling it up altogether. + * RFC5095: RH0 must be treated as unrecognized. */ - IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, rhlen); - if (rh == NULL) { - IP6_STATINC(IP6_STAT_TOOSHORT); - return IPPROTO_DONE; - } - if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh)) - return (IPPROTO_DONE); - break; -#endif default: /* unknown routing type */ if (rh->ip6r_segleft == 0) { @@ -113,112 +73,10 @@ route6_input(struct mbuf **mp, int *offp } IP6_STATINC(IP6_STAT_BADOPTIONS); icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, - (char *)>ip6r_type - (char *)ip6); - return (IPPROTO_DONE); + off + offsetof(struct ip6_rthdr, ip6r_type)); + return IPPROTO_DONE; } *offp += rhlen; - return (rh->ip6r_nxt); -} - -#if 0 -/* - * Type0 routing header processing - * - * RFC2292 backward compatibility warning: no support for strict/loose bitmap, - * as it was dropped between RFC1883 and RFC2460. - */ -static int -ip6_rthdr0(struct mbuf *m, struct ip6_hdr *ip6, - struct ip6_rthdr0 *rh0) -{ - int addrs, index; - struct in6_addr *nextaddr, tmpaddr; - const struct ip6aux *ip6a; - - if (rh0->ip6r0_segleft == 0) - return (0); - - if (rh0->ip6r0_len % 2 -#ifdef COMPAT_RFC1883 - || rh0->ip6r0_len > 46 -#endif - ) { - /* - * Type 0 routing header can't contain more than 23 addresses. - * RFC 2462: this limitation was removed since strict/loose - * bitmap field was deleted. - */ - IP6_STATINC(IP6_STAT_BADOPTIONS); - icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, - (char *)>ip6r0_len - (char *)ip6); - return (-1); - } - - if ((addrs = rh0->ip6r0_len / 2) < rh0->ip6r0_segleft) { - IP6_STATINC(IP6_STAT_BADOPTIONS); - icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, - (char *)>ip6r0_segleft - (char *)ip6); - return (-1); - } - - index = addrs - rh0->ip6r0_segleft; -
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Mon Feb 26 00:26:46 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #568): sys/netinet6/ip6_input.c: 1.188 Kick nested fragments. To generate a diff of this commit: cvs rdiff -u -r1.178.2.4 -r1.178.2.5 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Mon Feb 26 00:26:46 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #568): sys/netinet6/ip6_input.c: 1.188 Kick nested fragments. To generate a diff of this commit: cvs rdiff -u -r1.178.2.4 -r1.178.2.5 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.178.2.4 src/sys/netinet6/ip6_input.c:1.178.2.5 --- src/sys/netinet6/ip6_input.c:1.178.2.4 Tue Jan 30 18:21:09 2018 +++ src/sys/netinet6/ip6_input.c Mon Feb 26 00:26:46 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.178.2.4 2018/01/30 18:21:09 martin Exp $ */ +/* $NetBSD: ip6_input.c,v 1.178.2.5 2018/02/26 00:26:46 snj Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.4 2018/01/30 18:21:09 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.5 2018/02/26 00:26:46 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -258,7 +258,7 @@ ip6_input(struct mbuf *m, struct ifnet * int hit, off = sizeof(struct ip6_hdr), nest; u_int32_t plen; u_int32_t rtalert = ~0; - int nxt, ours = 0, rh_present = 0; + int nxt, ours = 0, rh_present = 0, frg_present; struct ifnet *deliverifp = NULL; int srcrt = 0; struct rtentry *rt = NULL; @@ -776,6 +776,7 @@ ip6_input(struct mbuf *m, struct ifnet * percpu_putref(ip6_forward_rt_percpu); rh_present = 0; + frg_present = 0; while (nxt != IPPROTO_DONE) { if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { IP6_STATINC(IP6_STAT_TOOMANYHDR); @@ -799,6 +800,12 @@ ip6_input(struct mbuf *m, struct ifnet * IP6_STATINC(IP6_STAT_BADOPTIONS); goto bad; } + } else if (nxt == IPPROTO_FRAGMENT) { + if (frg_present++) { +in6_ifstat_inc(rcvif, ifs6_in_hdrerr); +IP6_STATINC(IP6_STAT_BADOPTIONS); +goto bad; + } } #ifdef IPSEC
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 12:55:08 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #531): sys/netinet6/nd6_nbr.c: revision 1.145 Fix memory leak. Contrary to what the XXX indicates, this place is 100% reachable remotely. To generate a diff of this commit: cvs rdiff -u -r1.138.6.2 -r1.138.6.3 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6_nbr.c diff -u src/sys/netinet6/nd6_nbr.c:1.138.6.2 src/sys/netinet6/nd6_nbr.c:1.138.6.3 --- src/sys/netinet6/nd6_nbr.c:1.138.6.2 Fri Jan 26 15:41:12 2018 +++ src/sys/netinet6/nd6_nbr.c Fri Feb 2 12:55:08 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6_nbr.c,v 1.138.6.2 2018/01/26 15:41:12 martin Exp $ */ +/* $NetBSD: nd6_nbr.c,v 1.138.6.3 2018/02/02 12:55:08 martin Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.138.6.2 2018/01/26 15:41:12 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.138.6.3 2018/02/02 12:55:08 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -607,8 +607,7 @@ nd6_na_input(struct mbuf *m, int off, in taddr6 = nd_na->nd_na_target; if (in6_setscope(, ifp, NULL)) { - m_put_rcvif_psref(ifp, ); - return; /* XXX: impossible */ + goto bad; } if (IN6_IS_ADDR_MULTICAST()) {
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 12:55:08 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #531): sys/netinet6/nd6_nbr.c: revision 1.145 Fix memory leak. Contrary to what the XXX indicates, this place is 100% reachable remotely. To generate a diff of this commit: cvs rdiff -u -r1.138.6.2 -r1.138.6.3 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 10:54:02 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_mroute.c Log Message: Pull up following revision(s) (requested by maxv in ticket #530): sys/netinet6/ip6_mroute.c: revision 1.120 Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE, not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain on an mbuf that was already freed. To generate a diff of this commit: cvs rdiff -u -r1.119 -r1.119.6.1 src/sys/netinet6/ip6_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_mroute.c diff -u src/sys/netinet6/ip6_mroute.c:1.119 src/sys/netinet6/ip6_mroute.c:1.119.6.1 --- src/sys/netinet6/ip6_mroute.c:1.119 Wed Mar 1 08:54:12 2017 +++ src/sys/netinet6/ip6_mroute.c Fri Feb 2 10:54:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_mroute.c,v 1.119 2017/03/01 08:54:12 ozaki-r Exp $ */ +/* $NetBSD: ip6_mroute.c,v 1.119.6.1 2018/02/02 10:54:02 martin Exp $ */ /* $KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $ */ /* @@ -117,7 +117,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.119 2017/03/01 08:54:12 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.119.6.1 2018/02/02 10:54:02 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -1886,7 +1886,7 @@ pim6_input(struct mbuf **mp, int *offp, (eip6->ip6_vfc & IPV6_VERSION)); #endif m_freem(m); - return (IPPROTO_NONE); + return (IPPROTO_DONE); } /* verify the inner packet is destined to a mcast group */
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 10:54:02 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_mroute.c Log Message: Pull up following revision(s) (requested by maxv in ticket #530): sys/netinet6/ip6_mroute.c: revision 1.120 Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE, not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain on an mbuf that was already freed. To generate a diff of this commit: cvs rdiff -u -r1.119 -r1.119.6.1 src/sys/netinet6/ip6_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:21:10 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #527): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.60.6.1 -r1.60.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.178.2.3 -r1.178.2.4 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.74 -r1.74.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.157.2.1 -r1.157.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/frag6.c diff -u src/sys/netinet6/frag6.c:1.60.6.1 src/sys/netinet6/frag6.c:1.60.6.2 --- src/sys/netinet6/frag6.c:1.60.6.1 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet6/frag6.c Tue Jan 30 18:21:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: frag6.c,v 1.60.6.1 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: frag6.c,v 1.60.6.2 2018/01/30 18:21:09 martin Exp $ */ /* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.1 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.60.6.2 2018/01/30 18:21:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -442,14 +442,6 @@ insert: m_cat(m, t); } - /* - * Store NXT to the original. - */ - { - u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */ - *prvnxtp = nxt; - } - frag6_remque(q6); frag6_nfrags -= q6->ip6q_nfrag; kmem_intr_free(q6, sizeof(struct ip6q)); @@ -457,11 +449,30 @@ insert: if (m->m_flags & M_PKTHDR) { /* Isn't it always true? */ int plen = 0; - for (t = m; t; t = t->m_next) + for (t = m; t; t = t->m_next) { + /* + * XXX XXX Why don't we remove M_PKTHDR? + */ plen += t->m_len; + } m->m_pkthdr.len = plen; } + /* + * Restore NXT to the original. + */ + { + const int prvnxt = ip6_get_prevhdr(m, offset); + uint8_t *prvnxtp; + + IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt, + sizeof(*prvnxtp)); + if (prvnxtp == NULL) { + goto dropfrag; + } + *prvnxtp = nxt; + } + IP6_STATINC(IP6_STAT_REASSEMBLED); in6_ifstat_inc(dstifp, ifs6_reass_ok); rtcache_unref(rt, ); Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.178.2.3 src/sys/netinet6/ip6_input.c:1.178.2.4 --- src/sys/netinet6/ip6_input.c:1.178.2.3 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:21:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.178.2.3 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: ip6_input.c,v 1.178.2.4 2018/01/30 18:21:09 martin Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.3 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.178.2.4 2018/01/30 18:21:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -1405,50 +1405,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of } /* - * Get pointer to the previous header followed by the header + * Get offset to the previous header
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:21:10 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #527): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.60.6.1 -r1.60.6.2 src/sys/netinet6/frag6.c cvs rdiff -u -r1.178.2.3 -r1.178.2.4 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.74 -r1.74.6.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.157.2.1 -r1.157.2.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Jan 9 19:30:45 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_forward.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #484): sys/netinet6/ip6_forward.c: 1.89-1.90 Fix use-after-free of mbuf by ip6flow_create This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd. -- Fix use-after-free of mbuf by ip6flow_create (one more) To generate a diff of this commit: cvs rdiff -u -r1.87.2.1 -r1.87.2.2 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Jan 9 19:30:45 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_forward.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #484): sys/netinet6/ip6_forward.c: 1.89-1.90 Fix use-after-free of mbuf by ip6flow_create This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd. -- Fix use-after-free of mbuf by ip6flow_create (one more) To generate a diff of this commit: cvs rdiff -u -r1.87.2.1 -r1.87.2.2 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.87.2.1 src/sys/netinet6/ip6_forward.c:1.87.2.2 --- src/sys/netinet6/ip6_forward.c:1.87.2.1 Sat Oct 21 19:43:54 2017 +++ src/sys/netinet6/ip6_forward.c Tue Jan 9 19:30:45 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.87.2.1 2017/10/21 19:43:54 snj Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.87.2.2 2018/01/09 19:30:45 snj Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.87.2.1 2017/10/21 19:43:54 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.87.2.2 2018/01/09 19:30:45 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -415,8 +415,8 @@ ip6_forward(struct mbuf *m, int srcrt) /* Need to release rt here */ rtcache_unref(rt, ro); rt = NULL; - if (m->m_flags & M_CANFASTFWD) -ip6flow_create(ro, m); + if (mcopy->m_flags & M_CANFASTFWD) +ip6flow_create(ro, mcopy); #endif if (mcopy) goto freecopy;
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Jan 9 19:24:44 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_flow.c Log Message: Pull up following revision(s) (requested by maxv in ticket #481): sys/netinet6/ip6_flow.c: revision 1.36 Fix use-after-free: if m_pullup fails the (freed) mbuf is pushed on the ip6_pktq queue and re-processed later. Return 1 to say "processed and freed". To generate a diff of this commit: cvs rdiff -u -r1.34.8.1 -r1.34.8.2 src/sys/netinet6/ip6_flow.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_flow.c diff -u src/sys/netinet6/ip6_flow.c:1.34.8.1 src/sys/netinet6/ip6_flow.c:1.34.8.2 --- src/sys/netinet6/ip6_flow.c:1.34.8.1 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet6/ip6_flow.c Tue Jan 9 19:24:44 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_flow.c,v 1.34.8.1 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: ip6_flow.c,v 1.34.8.2 2018/01/09 19:24:44 snj Exp $ */ /*- * Copyright (c) 2007 The NetBSD Foundation, Inc. @@ -38,7 +38,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_flow.c,v 1.34.8.1 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_flow.c,v 1.34.8.2 2018/01/09 19:24:44 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -285,12 +285,8 @@ ip6flow_fastforward(struct mbuf **mp) if (IP6_HDR_ALIGNED_P(mtod(m, const void *)) == 0) { if ((m = m_copyup(m, sizeof(struct ip6_hdr), -(max_linkhdr + 3) & ~3)) == NULL) { - goto out; - } - *mp = m; - } else if (__predict_false(m->m_len < sizeof(struct ip6_hdr))) { - if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { + (max_linkhdr + 3) & ~3)) == NULL) { + ret = 1; goto out; } *mp = m;
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Jan 9 19:24:44 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_flow.c Log Message: Pull up following revision(s) (requested by maxv in ticket #481): sys/netinet6/ip6_flow.c: revision 1.36 Fix use-after-free: if m_pullup fails the (freed) mbuf is pushed on the ip6_pktq queue and re-processed later. Return 1 to say "processed and freed". To generate a diff of this commit: cvs rdiff -u -r1.34.8.1 -r1.34.8.2 src/sys/netinet6/ip6_flow.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Fri Nov 17 20:26:19 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: in6_ifattach.c nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #354): sys/netinet6/in6_ifattach.c: revision 1.113 sys/netinet6/nd6.c: revision 1.238 Use psref instead of pserialize because that code is sleepable -- Use psref instead of pserialize because that code is sleepable To generate a diff of this commit: cvs rdiff -u -r1.112 -r1.112.6.1 src/sys/netinet6/in6_ifattach.c cvs rdiff -u -r1.232.2.3 -r1.232.2.4 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6_ifattach.c diff -u src/sys/netinet6/in6_ifattach.c:1.112 src/sys/netinet6/in6_ifattach.c:1.112.6.1 --- src/sys/netinet6/in6_ifattach.c:1.112 Thu Feb 23 07:57:10 2017 +++ src/sys/netinet6/in6_ifattach.c Fri Nov 17 20:26:19 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_ifattach.c,v 1.112 2017/02/23 07:57:10 ozaki-r Exp $ */ +/* $NetBSD: in6_ifattach.c,v 1.112.6.1 2017/11/17 20:26:19 snj Exp $ */ /* $KAME: in6_ifattach.c,v 1.124 2001/07/18 08:32:51 jinmei Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6_ifattach.c,v 1.112 2017/02/23 07:57:10 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6_ifattach.c,v 1.112.6.1 2017/11/17 20:26:19 snj Exp $"); #include #include @@ -787,13 +787,15 @@ in6_ifattach(struct ifnet *ifp, struct i */ if (!(ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED) && ND_IFINFO(ifp)->flags & ND6_IFF_AUTO_LINKLOCAL) { - int s = pserialize_read_enter(); - ia = in6ifa_ifpforlinklocal(ifp, 0); + int bound = curlwp_bind(); + struct psref psref; + ia = in6ifa_ifpforlinklocal_psref(ifp, 0, ); if (ia == NULL && in6_ifattach_linklocal(ifp, altifp) != 0) { printf("%s: cannot assign link-local address\n", ifp->if_xname); } - pserialize_read_exit(s); + ia6_release(ia, ); + curlwp_bindx(bound); } } Index: src/sys/netinet6/nd6.c diff -u src/sys/netinet6/nd6.c:1.232.2.3 src/sys/netinet6/nd6.c:1.232.2.4 --- src/sys/netinet6/nd6.c:1.232.2.3 Fri Nov 17 20:24:05 2017 +++ src/sys/netinet6/nd6.c Fri Nov 17 20:26:19 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6.c,v 1.232.2.3 2017/11/17 20:24:05 snj Exp $ */ +/* $NetBSD: nd6.c,v 1.232.2.4 2017/11/17 20:26:19 snj Exp $ */ /* $KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.3 2017/11/17 20:24:05 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.4 2017/11/17 20:26:19 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -1446,7 +1446,7 @@ nd6_rtrequest(int req, struct rtentry *r switch (req) { case RTM_ADD: { - int s; + struct psref psref; RT_DPRINTF("rt_getkey(rt) = %p\n", rt_getkey(rt)); /* @@ -1554,9 +1554,8 @@ nd6_rtrequest(int req, struct rtentry *r * check if rt_getkey(rt) is an address assigned * to the interface. */ - s = pserialize_read_enter(); - ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, - (rt_getkey(rt))->sin6_addr); + ifa = (struct ifaddr *)in6ifa_ifpwithaddr_psref(ifp, + (rt_getkey(rt))->sin6_addr, ); if (ifa != NULL) { if (nd6_useloopback) { rt->rt_ifp = lo0ifp; /* XXX */ @@ -1593,7 +1592,7 @@ nd6_rtrequest(int req, struct rtentry *r } } out: - pserialize_read_exit(s); + ifa_release(ifa, ); /* * If we have too many cache entries, initiate immediate * purging for some entries.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Fri Nov 17 20:26:19 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: in6_ifattach.c nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #354): sys/netinet6/in6_ifattach.c: revision 1.113 sys/netinet6/nd6.c: revision 1.238 Use psref instead of pserialize because that code is sleepable -- Use psref instead of pserialize because that code is sleepable To generate a diff of this commit: cvs rdiff -u -r1.112 -r1.112.6.1 src/sys/netinet6/in6_ifattach.c cvs rdiff -u -r1.232.2.3 -r1.232.2.4 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Wed Nov 8 22:24:55 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c raw_ip6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #350): sys/netinet6/icmp6.c: revision 1.214 sys/netinet6/raw_ip6.c: revision 1.158 Fix usages of ipsec_used If IPsec isn't used, we must go back to the normal path. PR kern/52659 To generate a diff of this commit: cvs rdiff -u -r1.211.6.2 -r1.211.6.3 src/sys/netinet6/icmp6.c cvs rdiff -u -r1.157 -r1.157.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Wed Nov 8 22:24:55 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c raw_ip6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #350): sys/netinet6/icmp6.c: revision 1.214 sys/netinet6/raw_ip6.c: revision 1.158 Fix usages of ipsec_used If IPsec isn't used, we must go back to the normal path. PR kern/52659 To generate a diff of this commit: cvs rdiff -u -r1.211.6.2 -r1.211.6.3 src/sys/netinet6/icmp6.c cvs rdiff -u -r1.157 -r1.157.2.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.211.6.2 src/sys/netinet6/icmp6.c:1.211.6.3 --- src/sys/netinet6/icmp6.c:1.211.6.2 Sat Oct 21 19:43:54 2017 +++ src/sys/netinet6/icmp6.c Wed Nov 8 22:24:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.211.6.2 2017/10/21 19:43:54 snj Exp $ */ +/* $NetBSD: icmp6.c,v 1.211.6.3 2017/11/08 22:24:55 snj Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.2 2017/10/21 19:43:54 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.3 2017/11/08 22:24:55 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2012,7 +2012,8 @@ icmp6_rip6_input(struct mbuf **mp, int o /* * Check AH/ESP integrity */ - if (ipsec_used && !ipsec6_in_reject(m, last)) + if (!ipsec_used || + (ipsec_used && !ipsec6_in_reject(m, last))) #endif /* IPSEC */ if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) { if (last->in6p_flags & IN6P_CONTROLOPTS) Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.157 src/sys/netinet6/raw_ip6.c:1.157.2.1 --- src/sys/netinet6/raw_ip6.c:1.157 Thu Jun 1 02:45:14 2017 +++ src/sys/netinet6/raw_ip6.c Wed Nov 8 22:24:55 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.157 2017/06/01 02:45:14 chs Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.157.2.1 2017/11/08 22:24:55 snj Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157 2017/06/01 02:45:14 chs Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.1 2017/11/08 22:24:55 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_ipsec.h" @@ -205,7 +205,8 @@ rip6_input(struct mbuf **mp, int *offp, /* * Check AH/ESP integrity */ - if (ipsec_used && !ipsec6_in_reject(m, last)) + if (!ipsec_used || + (ipsec_used && !ipsec6_in_reject(m, last))) #endif /* IPSEC */ if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) { if (last->in6p_flags & IN6P_CONTROLOPTS)
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Oct 24 09:00:23 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #307): sys/netinet6/nd6.c: revision 1.236 Add missing NULL check PR kern/52554 To generate a diff of this commit: cvs rdiff -u -r1.232.2.1 -r1.232.2.2 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Tue Oct 24 09:00:23 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: nd6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #307): sys/netinet6/nd6.c: revision 1.236 Add missing NULL check PR kern/52554 To generate a diff of this commit: cvs rdiff -u -r1.232.2.1 -r1.232.2.2 src/sys/netinet6/nd6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/nd6.c diff -u src/sys/netinet6/nd6.c:1.232.2.1 src/sys/netinet6/nd6.c:1.232.2.2 --- src/sys/netinet6/nd6.c:1.232.2.1 Fri Jul 7 13:57:26 2017 +++ src/sys/netinet6/nd6.c Tue Oct 24 09:00:22 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: nd6.c,v 1.232.2.1 2017/07/07 13:57:26 martin Exp $ */ +/* $NetBSD: nd6.c,v 1.232.2.2 2017/10/24 09:00:22 snj Exp $ */ /* $KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.1 2017/07/07 13:57:26 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.232.2.2 2017/10/24 09:00:22 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_net_mpsafe.h" @@ -2321,6 +2321,11 @@ nd6_resolve(struct ifnet *ifp, const str created = true; } + if (ln == NULL) { + m_freem(m); + return ENETDOWN; /* better error? */ + } + LLE_WLOCK_ASSERT(ln); /* We don't have to do link-layer address resolution on a p2p link. */
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Aug 31 11:24:03 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: in6_src.c Log Message: Pull up following revision(s) (requested by christos in ticket #243): sys/netinet6/in6_src.c: revision 1.80 PR/52382: BERTRAND Joel: Fix mapped IPv4 source selection; this got broken in the last code refactoring. in6_selectif failing is not fatal. XXX: pullup-8 To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.79.6.1 src/sys/netinet6/in6_src.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6_src.c diff -u src/sys/netinet6/in6_src.c:1.79 src/sys/netinet6/in6_src.c:1.79.6.1 --- src/sys/netinet6/in6_src.c:1.79 Fri Feb 17 03:57:17 2017 +++ src/sys/netinet6/in6_src.c Thu Aug 31 11:24:03 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: in6_src.c,v 1.79 2017/02/17 03:57:17 ozaki-r Exp $ */ +/* $NetBSD: in6_src.c,v 1.79.6.1 2017/08/31 11:24:03 martin Exp $ */ /* $KAME: in6_src.c,v 1.159 2005/10/19 01:40:32 t-momose Exp $ */ /* @@ -66,7 +66,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.79 2017/02/17 03:57:17 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6_src.c,v 1.79.6.1 2017/08/31 11:24:03 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -461,7 +461,7 @@ in6_selectsrc(struct sockaddr_in6 *dstso struct in6_ifaddr *ia = NULL; struct in6_pktinfo *pi = NULL; u_int32_t odstzone; - int error; + int error = 0, iferror; #if defined(MIP6) && NMIP > 0 u_int8_t ip6po_usecoa = 0; #endif /* MIP6 && NMIP > 0 */ @@ -484,7 +484,7 @@ in6_selectsrc(struct sockaddr_in6 *dstso * to this function (e.g., for identifying the appropriate scope zone * ID). */ - error = in6_selectif(dstsock, opts, mopts, ro, , PSREF); + iferror = in6_selectif(dstsock, opts, mopts, ro, , PSREF); if (ifpp != NULL) *ifpp = ifp; @@ -549,8 +549,10 @@ in6_selectsrc(struct sockaddr_in6 *dstso * The outgoing interface is crucial in the general selection procedure * below. If it is not known at this point, we fail. */ - if (ifp == NULL) + if (ifp == NULL) { + error = iferror; goto exit; + } /* * If the address is not yet determined, choose the best one based on
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Thu Aug 31 11:24:03 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: in6_src.c Log Message: Pull up following revision(s) (requested by christos in ticket #243): sys/netinet6/in6_src.c: revision 1.80 PR/52382: BERTRAND Joel: Fix mapped IPv4 source selection; this got broken in the last code refactoring. in6_selectif failing is not fatal. XXX: pullup-8 To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.79.6.1 src/sys/netinet6/in6_src.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Jul 7 09:46:40 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #106): sys/netinet6/icmp6.c: revision 1.212 fix PR kern/52353. implemented by ozaki-r@n.o. I just commit by proxy. XXX need to pullup to -8. To generate a diff of this commit: cvs rdiff -u -r1.211 -r1.211.6.1 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.211 src/sys/netinet6/icmp6.c:1.211.6.1 --- src/sys/netinet6/icmp6.c:1.211 Tue Mar 14 04:24:04 2017 +++ src/sys/netinet6/icmp6.c Fri Jul 7 09:46:40 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.211 2017/03/14 04:24:04 ozaki-r Exp $ */ +/* $NetBSD: icmp6.c,v 1.211.6.1 2017/07/07 09:46:40 martin Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211 2017/03/14 04:24:04 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.211.6.1 2017/07/07 09:46:40 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -494,6 +494,15 @@ _icmp6_input(struct mbuf *m, int off, in goto freeit; } + if (m->m_len < sizeof(struct ip6_hdr)) { + m = m_pullup(m, sizeof(struct ip6_hdr)); + if (m == NULL) { + ICMP6_STATINC(ICMP6_STAT_TOOSHORT); + icmp6_ifstat_inc(rcvif, ifs6_in_error); + goto freeit; + } + } + ip6 = mtod(m, struct ip6_hdr *); IP6_EXTHDR_GET(icmp6, struct icmp6_hdr *, m, off, sizeof(*icmp6)); if (icmp6 == NULL) {
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Jul 7 09:46:40 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: icmp6.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #106): sys/netinet6/icmp6.c: revision 1.212 fix PR kern/52353. implemented by ozaki-r@n.o. I just commit by proxy. XXX need to pullup to -8. To generate a diff of this commit: cvs rdiff -u -r1.211 -r1.211.6.1 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Sat Jul 1 08:51:04 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #73): sys/netinet6/ip6_output.c: revision 1.192 Fix usage of ip6_get_membership It may set nothing to ifp even if returning 0. So we need to NULL-clear ifp before calling it. Fix PR kern/52324 To generate a diff of this commit: cvs rdiff -u -r1.191 -r1.191.6.1 src/sys/netinet6/ip6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_output.c diff -u src/sys/netinet6/ip6_output.c:1.191 src/sys/netinet6/ip6_output.c:1.191.6.1 --- src/sys/netinet6/ip6_output.c:1.191 Fri Mar 3 07:13:06 2017 +++ src/sys/netinet6/ip6_output.c Sat Jul 1 08:51:04 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_output.c,v 1.191 2017/03/03 07:13:06 ozaki-r Exp $ */ +/* $NetBSD: ip6_output.c,v 1.191.6.1 2017/07/01 08:51:04 snj Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191 2017/03/03 07:13:06 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.1 2017/07/01 08:51:04 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2561,8 +2561,10 @@ ip6_setmoptions(const struct sockopt *so * Group must be a valid IP6 multicast address. */ bound = curlwp_bind(); + ifp = NULL; error = ip6_get_membership(sopt, , , , sizeof(ia)); if (error != 0) { + KASSERT(ifp == NULL); curlwp_bindx(bound); return error; }
CVS commit: [netbsd-8] src/sys/netinet6
Module Name:src Committed By: snj Date: Sat Jul 1 08:51:04 UTC 2017 Modified Files: src/sys/netinet6 [netbsd-8]: ip6_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #73): sys/netinet6/ip6_output.c: revision 1.192 Fix usage of ip6_get_membership It may set nothing to ifp even if returning 0. So we need to NULL-clear ifp before calling it. Fix PR kern/52324 To generate a diff of this commit: cvs rdiff -u -r1.191 -r1.191.6.1 src/sys/netinet6/ip6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.