CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Tue Mar 9 15:56:51 UTC 2021
Modified Files:
src/sys/netinet [netbsd-8]: in_var.h tcp_subr.c tcp_timer.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1662):
sys/netinet/tcp_subr.c: revision 1.286
sys/netinet/tcp_timer.c: revision 1.96
sys/netinet/in_var.h: revision 1.102
sys/netinet/in_var.h: revision 1.99
Don't increment the iss sequence on each connection because it exposes
information (Amit Klein)
Add some randomness to the iss offset
Use a random IPv4 ID because the shuffling algorithm used before could expose
information (Amit Klein)
mv include to the kernel portion
To generate a diff of this commit:
cvs rdiff -u -r1.95 -r1.95.2.1 src/sys/netinet/in_var.h
cvs rdiff -u -r1.270.6.2 -r1.270.6.3 src/sys/netinet/tcp_subr.c
cvs rdiff -u -r1.91.8.1 -r1.91.8.2 src/sys/netinet/tcp_timer.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/in_var.h
diff -u src/sys/netinet/in_var.h:1.95 src/sys/netinet/in_var.h:1.95.2.1
--- src/sys/netinet/in_var.h:1.95 Fri May 12 17:53:54 2017
+++ src/sys/netinet/in_var.h Tue Mar 9 15:56:51 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: in_var.h,v 1.95 2017/05/12 17:53:54 ryo Exp $ */
+/* $NetBSD: in_var.h,v 1.95.2.1 2021/03/09 15:56:51 martin Exp $ */
/*-
* Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -374,6 +374,7 @@ struct in_multi {
#ifdef _KERNEL
#include
+#include
extern pktqueue_t *ip_pktq;
@@ -450,7 +451,8 @@ ip_newid_range(const struct in_ifaddr *i
if (ip_do_randomid) {
/* XXX ignore num */
- return ip_randomid(ip_ids, ia ? ia->ia_idsalt : 0);
+ id = (uint16_t)cprng_fast32();
+ return id ? id : 1;
}
/* Never allow an IP ID of 0 (detect wrap). */
Index: src/sys/netinet/tcp_subr.c
diff -u src/sys/netinet/tcp_subr.c:1.270.6.2 src/sys/netinet/tcp_subr.c:1.270.6.3
--- src/sys/netinet/tcp_subr.c:1.270.6.2 Sun Mar 7 19:13:24 2021
+++ src/sys/netinet/tcp_subr.c Tue Mar 9 15:56:51 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_subr.c,v 1.270.6.2 2021/03/07 19:13:24 martin Exp $ */
+/* $NetBSD: tcp_subr.c,v 1.270.6.3 2021/03/09 15:56:51 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.270.6.2 2021/03/07 19:13:24 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.270.6.3 2021/03/09 15:56:51 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -2301,7 +2301,6 @@ tcp_new_iss1(void *laddr, void *faddr, u
* XXX Use `addin'?
* XXX TCP_ISSINCR too large to use?
*/
- tcp_iss_seq += TCP_ISSINCR;
#ifdef TCPISS_DEBUG
printf("ISS hash 0x%08x, ", tcp_iss);
#endif
@@ -2337,7 +2336,6 @@ tcp_new_iss1(void *laddr, void *faddr, u
} else {
tcp_iss &= TCP_ISS_RANDOM_MASK;
tcp_iss += tcp_iss_seq;
- tcp_iss_seq += TCP_ISSINCR;
#ifdef TCPISS_DEBUG
printf("ISS %08x\n", tcp_iss);
#endif
Index: src/sys/netinet/tcp_timer.c
diff -u src/sys/netinet/tcp_timer.c:1.91.8.1 src/sys/netinet/tcp_timer.c:1.91.8.2
--- src/sys/netinet/tcp_timer.c:1.91.8.1 Sat Feb 3 22:07:26 2018
+++ src/sys/netinet/tcp_timer.c Tue Mar 9 15:56:51 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_timer.c,v 1.91.8.1 2018/02/03 22:07:26 snj Exp $ */
+/* $NetBSD: tcp_timer.c,v 1.91.8.2 2021/03/09 15:56:51 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -93,7 +93,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,v 1.91.8.1 2018/02/03 22:07:26 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,v 1.91.8.2 2021/03/09 15:56:51 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -111,6 +111,7 @@ __KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,
#include
#include
#include
+#include
#include
@@ -261,7 +262,7 @@ tcp_slowtimo_work(struct work *wk, void
{
mutex_enter(softnet_lock);
- tcp_iss_seq += TCP_ISSINCR; /* increment iss */
+ tcp_iss_seq += TCP_ISSINCR + (TCP_ISS_RANDOM_MASK & cprng_fast32());
tcp_now++; /* for timestamps */
mutex_exit(softnet_lock);
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Tue Mar 9 15:56:51 UTC 2021 Modified Files: src/sys/netinet [netbsd-8]: in_var.h tcp_subr.c tcp_timer.c Log Message: Pull up following revision(s) (requested by christos in ticket #1662): sys/netinet/tcp_subr.c: revision 1.286 sys/netinet/tcp_timer.c: revision 1.96 sys/netinet/in_var.h: revision 1.102 sys/netinet/in_var.h: revision 1.99 Don't increment the iss sequence on each connection because it exposes information (Amit Klein) Add some randomness to the iss offset Use a random IPv4 ID because the shuffling algorithm used before could expose information (Amit Klein) mv include to the kernel portion To generate a diff of this commit: cvs rdiff -u -r1.95 -r1.95.2.1 src/sys/netinet/in_var.h cvs rdiff -u -r1.270.6.2 -r1.270.6.3 src/sys/netinet/tcp_subr.c cvs rdiff -u -r1.91.8.1 -r1.91.8.2 src/sys/netinet/tcp_timer.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Mon Dec 7 20:01:02 UTC 2020
Modified Files:
src/sys/netinet [netbsd-8]: ip_mroute.c
Log Message:
Pull up following revision(s) (requested by kardel in ticket #1632):
sys/netinet/ip_mroute.c: revision 1.164 (patch)
PR kern/55779:
restore non-desctructive guarantee of ip_mforward() mbuf
argument. This avoids generation invalid UDP checksums
on multicast packets in ip_output().
XXX the root cause of the misguided fix in 2008 should be
XXX investigated
To generate a diff of this commit:
cvs rdiff -u -r1.146.6.4 -r1.146.6.5 src/sys/netinet/ip_mroute.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_mroute.c
diff -u src/sys/netinet/ip_mroute.c:1.146.6.4 src/sys/netinet/ip_mroute.c:1.146.6.5
--- src/sys/netinet/ip_mroute.c:1.146.6.4 Fri Jul 13 14:26:47 2018
+++ src/sys/netinet/ip_mroute.c Mon Dec 7 20:01:01 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_mroute.c,v 1.146.6.4 2018/07/13 14:26:47 martin Exp $ */
+/* $NetBSD: ip_mroute.c,v 1.146.6.5 2020/12/07 20:01:01 martin Exp $ */
/*
* Copyright (c) 1992, 1993
@@ -93,7 +93,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.146.6.4 2018/07/13 14:26:47 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.146.6.5 2020/12/07 20:01:01 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -239,6 +239,8 @@ static int tbf_dq_sel(struct vif *, stru
static void tbf_send_packet(struct vif *, struct mbuf *);
static void tbf_update_tokens(struct vif *);
static int priority(struct vif *, struct ip *);
+static int ip_mforward_real(struct mbuf *, struct ifnet *);
+
/*
* Bandwidth monitoring
@@ -1309,6 +1311,34 @@ ip_mforward(struct mbuf *m, struct ifnet
ip_mforward(struct mbuf *m, struct ifnet *ifp)
#endif /* RSVP_ISI */
{
+ int rc;
+ /*
+ * save csum_flags to uphold the
+ * "unscathed" guarantee.
+ * ip_output() relies on that and
+ * without it we send out
+ * multicast packets with an invalid
+ * checksum
+ *
+ * see PR kern/55779
+ */
+ int csum_flags = m->m_pkthdr.csum_flags;
+
+ /*
+ * Temporarily clear any in-bound checksum flags for this packet.
+ */
+ m->m_pkthdr.csum_flags = 0;
+
+ rc = ip_mforward_real(m, ifp);
+
+ m->m_pkthdr.csum_flags = csum_flags;
+
+ return rc;
+}
+
+static int
+ip_mforward_real(struct mbuf *m, struct ifnet *ifp)
+{
struct ip *ip = mtod(m, struct ip *);
struct mfc *rt;
static int srctun = 0;
@@ -1340,11 +1370,6 @@ ip_mforward(struct mbuf *m, struct ifnet
return (1);
}
- /*
- * Clear any in-bound checksum flags for this packet.
- */
- m->m_pkthdr.csum_flags = 0;
-
#ifdef RSVP_ISI
if (imo && ((vifi = imo->imo_multicast_vif) < numvifs)) {
if (ip->ip_ttl < MAXTTL)
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Mon Dec 7 20:01:02 UTC 2020 Modified Files: src/sys/netinet [netbsd-8]: ip_mroute.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1632): sys/netinet/ip_mroute.c: revision 1.164 (patch) PR kern/55779: restore non-desctructive guarantee of ip_mforward() mbuf argument. This avoids generation invalid UDP checksums on multicast packets in ip_output(). XXX the root cause of the misguided fix in 2008 should be XXX investigated To generate a diff of this commit: cvs rdiff -u -r1.146.6.4 -r1.146.6.5 src/sys/netinet/ip_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Sun Sep 13 12:16:34 UTC 2020 Modified Files: src/sys/netinet [netbsd-8]: tcp_input.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1604): sys/netinet/tcp_input.c: revision 1.420 PR/kern 55567 fix the data-only fast path. RCV.UP and SND.WL1 could be left behind on long sequences of data only packets. pull them along to avoid relative sequence wraps. consistent with FreeBSD addresses second failure mode of PR/kern 55567. pullup to netbsd-8 pullup to netbsd-9 To generate a diff of this commit: cvs rdiff -u -r1.357.4.6 -r1.357.4.7 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_input.c diff -u src/sys/netinet/tcp_input.c:1.357.4.6 src/sys/netinet/tcp_input.c:1.357.4.7 --- src/sys/netinet/tcp_input.c:1.357.4.6 Thu Sep 3 13:40:41 2020 +++ src/sys/netinet/tcp_input.c Sun Sep 13 12:16:34 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_input.c,v 1.357.4.6 2020/09/03 13:40:41 martin Exp $ */ +/* $NetBSD: tcp_input.c,v 1.357.4.7 2020/09/13 12:16:34 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -148,7 +148,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.6 2020/09/03 13:40:41 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.7 2020/09/13 12:16:34 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2061,13 +2061,25 @@ after_listen: * we have enough buffer space to take it. */ tp->rcv_nxt += tlen; + + /* + * Pull rcv_up up to prevent seq wrap relative to + * rcv_nxt. + */ + tp->rcv_up = tp->rcv_nxt; + + /* + * Pull snd_wl1 up to prevent seq wrap relative to + * th_seq. + */ + tp->snd_wl1 = th->th_seq; + tcps = TCP_STAT_GETREF(); tcps[TCP_STAT_PREDDAT]++; tcps[TCP_STAT_RCVPACK]++; tcps[TCP_STAT_RCVBYTE] += tlen; TCP_STAT_PUTREF(); nd6_hint(tp); - /* * Automatic sizing enables the performance of large buffers * and most of the efficiency of small ones by only allocating
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Sun Sep 13 12:16:34 UTC 2020 Modified Files: src/sys/netinet [netbsd-8]: tcp_input.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1604): sys/netinet/tcp_input.c: revision 1.420 PR/kern 55567 fix the data-only fast path. RCV.UP and SND.WL1 could be left behind on long sequences of data only packets. pull them along to avoid relative sequence wraps. consistent with FreeBSD addresses second failure mode of PR/kern 55567. pullup to netbsd-8 pullup to netbsd-9 To generate a diff of this commit: cvs rdiff -u -r1.357.4.6 -r1.357.4.7 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Thu Sep 3 13:40:41 UTC 2020 Modified Files: src/sys/netinet [netbsd-8]: tcp_input.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1602): sys/netinet/tcp_input.c: revision 1.419 Fix fast path for uni directional transfers pure ACK case: drag snd_wl2 along so only newer ACKs can update the window size. also avoids the state where snd_wl2 is eventually larger than th_ack and thus blocking the window update mechanism and the connection gets stuck for a lng time in the zero sized send window state. see PR/kern 55567 ok thorpej@, also found in FreeBSD To generate a diff of this commit: cvs rdiff -u -r1.357.4.5 -r1.357.4.6 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_input.c diff -u src/sys/netinet/tcp_input.c:1.357.4.5 src/sys/netinet/tcp_input.c:1.357.4.6 --- src/sys/netinet/tcp_input.c:1.357.4.5 Wed Jul 8 13:48:36 2020 +++ src/sys/netinet/tcp_input.c Thu Sep 3 13:40:41 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_input.c,v 1.357.4.5 2020/07/08 13:48:36 martin Exp $ */ +/* $NetBSD: tcp_input.c,v 1.357.4.6 2020/09/03 13:40:41 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -148,7 +148,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.5 2020/07/08 13:48:36 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.6 2020/09/03 13:40:41 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2009,6 +2009,19 @@ after_listen: tp->snd_fack = tp->snd_una; if (SEQ_LT(tp->snd_high, tp->snd_una)) tp->snd_high = tp->snd_una; +/* + * drag snd_wl2 along so only newer + * ACKs can update the window size. + * also avoids the state where snd_wl2 + * is eventually larger than th_ack and thus + * blocking the window update mechanism and + * the connection gets stuck for a lng + * time in the zero sized send window state. + * + * see PR/kern 55567 + */ +tp->snd_wl2 = tp->snd_una; + m_freem(m); /*
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Thu Sep 3 13:40:41 UTC 2020 Modified Files: src/sys/netinet [netbsd-8]: tcp_input.c Log Message: Pull up following revision(s) (requested by kardel in ticket #1602): sys/netinet/tcp_input.c: revision 1.419 Fix fast path for uni directional transfers pure ACK case: drag snd_wl2 along so only newer ACKs can update the window size. also avoids the state where snd_wl2 is eventually larger than th_ack and thus blocking the window update mechanism and the connection gets stuck for a lng time in the zero sized send window state. see PR/kern 55567 ok thorpej@, also found in FreeBSD To generate a diff of this commit: cvs rdiff -u -r1.357.4.5 -r1.357.4.6 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Wed Jul 8 13:48:36 UTC 2020
Modified Files:
src/sys/netinet [netbsd-8]: tcp_input.c
Log Message:
Apply patch, requested by christos in ticket #1566:
Deduplicate more code and avoid use of uninitialized variables.
To generate a diff of this commit:
cvs rdiff -u -r1.357.4.4 -r1.357.4.5 src/sys/netinet/tcp_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.357.4.4 src/sys/netinet/tcp_input.c:1.357.4.5
--- src/sys/netinet/tcp_input.c:1.357.4.4 Tue Jul 7 11:56:57 2020
+++ src/sys/netinet/tcp_input.c Wed Jul 8 13:48:36 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.357.4.4 2020/07/07 11:56:57 martin Exp $ */
+/* $NetBSD: tcp_input.c,v 1.357.4.5 2020/07/08 13:48:36 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.4 2020/07/07 11:56:57 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.5 2020/07/08 13:48:36 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1272,6 +1272,12 @@ tcp_input(struct mbuf *m, ...)
}
#endif
+ IP6_EXTHDR_GET(th, struct tcphdr *, m, toff, sizeof(struct tcphdr));
+ if (th == NULL) {
+ TCP_STATINC(TCP_STAT_RCVSHORT);
+ return;
+ }
+
/*
* Enforce alignment requirements that are violated in
* some cases, see kern/50766 for details.
@@ -1301,15 +1307,8 @@ tcp_input(struct mbuf *m, ...)
case 4:
af = AF_INET;
iphlen = sizeof(struct ip);
- IP6_EXTHDR_GET(th, struct tcphdr *, m, toff,
- sizeof(struct tcphdr));
- if (th == NULL) {
- TCP_STATINC(TCP_STAT_RCVSHORT);
- return;
- }
/* We do the checksum after PCB lookup... */
len = ntohs(ip->ip_len);
- tlen = len - toff;
iptos = ip->ip_tos;
break;
#endif
@@ -1317,13 +1316,6 @@ tcp_input(struct mbuf *m, ...)
case 6:
iphlen = sizeof(struct ip6_hdr);
af = AF_INET6;
- IP6_EXTHDR_GET(th, struct tcphdr *, m, toff,
- sizeof(struct tcphdr));
- if (th == NULL) {
- TCP_STATINC(TCP_STAT_RCVSHORT);
- return;
- }
-
/* Be proactive about malicious use of IPv4 mapped address */
if (IN6_IS_ADDR_V4MAPPED(>ip6_src) ||
IN6_IS_ADDR_V4MAPPED(>ip6_dst)) {
@@ -1355,7 +1347,6 @@ tcp_input(struct mbuf *m, ...)
/* We do the checksum after PCB lookup... */
len = m->m_pkthdr.len;
- tlen = len - toff;
iptos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
break;
#endif
@@ -1364,6 +1355,8 @@ tcp_input(struct mbuf *m, ...)
return;
}
+ tlen = len - toff;
+
/*
* Check that TCP offset makes sense,
* pull out TCP options and adjust length. XXX
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Wed Jul 8 13:48:36 UTC 2020 Modified Files: src/sys/netinet [netbsd-8]: tcp_input.c Log Message: Apply patch, requested by christos in ticket #1566: Deduplicate more code and avoid use of uninitialized variables. To generate a diff of this commit: cvs rdiff -u -r1.357.4.4 -r1.357.4.5 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Tue Jul 7 11:56:57 UTC 2020 Modified Files: src/sys/netinet [netbsd-8]: tcp_input.c Log Message: Pull up following revision(s) (requested by christos in ticket #1566): sys/netinet/tcp_input.c: revision 1.418 (via patch) - always set both ip and ip6, otherwise a kernel assertion can be triggered - move alignment early so that we do less work To generate a diff of this commit: cvs rdiff -u -r1.357.4.3 -r1.357.4.4 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Tue Jul 7 11:56:57 UTC 2020
Modified Files:
src/sys/netinet [netbsd-8]: tcp_input.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1566):
sys/netinet/tcp_input.c: revision 1.418 (via patch)
- always set both ip and ip6, otherwise a kernel assertion can be triggered
- move alignment early so that we do less work
To generate a diff of this commit:
cvs rdiff -u -r1.357.4.3 -r1.357.4.4 src/sys/netinet/tcp_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.357.4.3 src/sys/netinet/tcp_input.c:1.357.4.4
--- src/sys/netinet/tcp_input.c:1.357.4.3 Fri Mar 30 11:17:19 2018
+++ src/sys/netinet/tcp_input.c Tue Jul 7 11:56:57 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.357.4.3 2018/03/30 11:17:19 martin Exp $ */
+/* $NetBSD: tcp_input.c,v 1.357.4.4 2020/07/07 11:56:57 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.3 2018/03/30 11:17:19 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.4 2020/07/07 11:56:57 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1273,16 +1273,32 @@ tcp_input(struct mbuf *m, ...)
#endif
/*
+ * Enforce alignment requirements that are violated in
+ * some cases, see kern/50766 for details.
+ */
+ if (TCP_HDR_ALIGNED_P(th) == 0) {
+ m = m_copyup(m, toff + sizeof(struct tcphdr), 0);
+ if (m == NULL) {
+ TCP_STATINC(TCP_STAT_RCVSHORT);
+ return;
+ }
+ th = (struct tcphdr *)(mtod(m, char *) + toff);
+ }
+ KASSERT(TCP_HDR_ALIGNED_P(th));
+
+ /*
* Get IP and TCP header.
* Note: IP leaves IP header in first mbuf.
*/
+#ifdef INET6
+ ip6 = mtod(m, struct ip6_hdr *);
+#endif
+#ifdef INET
ip = mtod(m, struct ip *);
+#endif
switch (ip->ip_v) {
#ifdef INET
case 4:
-#ifdef INET6
- ip6 = NULL;
-#endif
af = AF_INET;
iphlen = sizeof(struct ip);
IP6_EXTHDR_GET(th, struct tcphdr *, m, toff,
@@ -1299,10 +1315,8 @@ tcp_input(struct mbuf *m, ...)
#endif
#ifdef INET6
case 6:
- ip = NULL;
iphlen = sizeof(struct ip6_hdr);
af = AF_INET6;
- ip6 = mtod(m, struct ip6_hdr *);
IP6_EXTHDR_GET(th, struct tcphdr *, m, toff,
sizeof(struct tcphdr));
if (th == NULL) {
@@ -1349,23 +1363,6 @@ tcp_input(struct mbuf *m, ...)
m_freem(m);
return;
}
- /*
- * Enforce alignment requirements that are violated in
- * some cases, see kern/50766 for details.
- */
- if (TCP_HDR_ALIGNED_P(th) == 0) {
- m = m_copyup(m, toff + sizeof(struct tcphdr), 0);
- if (m == NULL) {
- TCP_STATINC(TCP_STAT_RCVSHORT);
- return;
- }
- ip = mtod(m, struct ip *);
-#ifdef INET6
- ip6 = mtod(m, struct ip6_hdr *);
-#endif
- th = (struct tcphdr *)(mtod(m, char *) + toff);
- }
- KASSERT(TCP_HDR_ALIGNED_P(th));
/*
* Check that TCP offset makes sense,
@@ -1601,7 +1598,6 @@ findpcb:
m_freem(in6p->in6p_options);
in6p->in6p_options = 0;
}
- KASSERT(ip6 != NULL);
ip6_savecontrol(in6p, >in6p_options, ip6, m);
}
#endif
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Thu Jan 23 10:22:43 UTC 2020
Modified Files:
src/sys/netinet [netbsd-8]: ip_encap.c
Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1489):
sys/netinet/ip_encap.c: revision 1.72
Fix PR security/54881. Pointed out by ohishi@IIJ, thanks.
To generate a diff of this commit:
cvs rdiff -u -r1.65.2.4 -r1.65.2.5 src/sys/netinet/ip_encap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_encap.c
diff -u src/sys/netinet/ip_encap.c:1.65.2.4 src/sys/netinet/ip_encap.c:1.65.2.5
--- src/sys/netinet/ip_encap.c:1.65.2.4 Wed May 29 15:47:05 2019
+++ src/sys/netinet/ip_encap.c Thu Jan 23 10:22:42 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_encap.c,v 1.65.2.4 2019/05/29 15:47:05 martin Exp $ */
+/* $NetBSD: ip_encap.c,v 1.65.2.5 2020/01/23 10:22:42 martin Exp $ */
/* $KAME: ip_encap.c,v 1.73 2001/10/02 08:30:58 itojun Exp $ */
/*
@@ -68,7 +68,7 @@
#define USE_RADIX
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_encap.c,v 1.65.2.4 2019/05/29 15:47:05 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_encap.c,v 1.65.2.5 2020/01/23 10:22:42 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_mrouting.h"
@@ -893,10 +893,11 @@ encap6_ctlinput(int cmd, const struct so
*/
match = encap6_lookup(m, off, nxt, OUTBOUND,
_psref);
- if (match)
+ if (match) {
valid++;
- psref_release(_psref, >psref,
- encaptab.elem_class);
+psref_release(_psref, >psref,
+encaptab.elem_class);
+ }
/*
* Depending on the value of "valid" and routing table
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Thu Jan 23 10:22:43 UTC 2020 Modified Files: src/sys/netinet [netbsd-8]: ip_encap.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #1489): sys/netinet/ip_encap.c: revision 1.72 Fix PR security/54881. Pointed out by ohishi@IIJ, thanks. To generate a diff of this commit: cvs rdiff -u -r1.65.2.4 -r1.65.2.5 src/sys/netinet/ip_encap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Wed May 29 15:47:06 UTC 2019 Modified Files: src/sys/netinet [netbsd-8]: ip_encap.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #1271): sys/netinet/ip_encap.c: revision 1.71 Fix build failure when INET6 is disabled. Pointed out by ozaki-r@n.o, thanks. To generate a diff of this commit: cvs rdiff -u -r1.65.2.3 -r1.65.2.4 src/sys/netinet/ip_encap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Wed May 29 15:47:06 UTC 2019 Modified Files: src/sys/netinet [netbsd-8]: ip_encap.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #1271): sys/netinet/ip_encap.c: revision 1.71 Fix build failure when INET6 is disabled. Pointed out by ozaki-r@n.o, thanks. To generate a diff of this commit: cvs rdiff -u -r1.65.2.3 -r1.65.2.4 src/sys/netinet/ip_encap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_encap.c diff -u src/sys/netinet/ip_encap.c:1.65.2.3 src/sys/netinet/ip_encap.c:1.65.2.4 --- src/sys/netinet/ip_encap.c:1.65.2.3 Fri Jul 13 14:26:47 2018 +++ src/sys/netinet/ip_encap.c Wed May 29 15:47:05 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_encap.c,v 1.65.2.3 2018/07/13 14:26:47 martin Exp $ */ +/* $NetBSD: ip_encap.c,v 1.65.2.4 2019/05/29 15:47:05 martin Exp $ */ /* $KAME: ip_encap.c,v 1.73 2001/10/02 08:30:58 itojun Exp $ */ /* @@ -68,7 +68,7 @@ #define USE_RADIX #include -__KERNEL_RCSID(0, "$NetBSD: ip_encap.c,v 1.65.2.3 2018/07/13 14:26:47 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_encap.c,v 1.65.2.4 2019/05/29 15:47:05 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_mrouting.h" @@ -79,6 +79,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_encap.c,v #include #include #include +#include /* for softnet_lock */ #include #include #include
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Tue Mar 19 13:42:55 UTC 2019 Modified Files: src/sys/netinet [netbsd-8]: ip_carp.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1218): sys/netinet/ip_carp.c: revision 1.102 carp: don't skip pserialize_read_enter and ifa_release To generate a diff of this commit: cvs rdiff -u -r1.90.2.3 -r1.90.2.4 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Tue Mar 19 13:42:55 UTC 2019 Modified Files: src/sys/netinet [netbsd-8]: ip_carp.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1218): sys/netinet/ip_carp.c: revision 1.102 carp: don't skip pserialize_read_enter and ifa_release To generate a diff of this commit: cvs rdiff -u -r1.90.2.3 -r1.90.2.4 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_carp.c diff -u src/sys/netinet/ip_carp.c:1.90.2.3 src/sys/netinet/ip_carp.c:1.90.2.4 --- src/sys/netinet/ip_carp.c:1.90.2.3 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet/ip_carp.c Tue Mar 19 13:42:54 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_carp.c,v 1.90.2.3 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: ip_carp.c,v 1.90.2.4 2019/03/19 13:42:54 martin Exp $ */ /* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */ /* @@ -33,7 +33,7 @@ #endif #include -__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.90.2.3 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.90.2.4 2019/03/19 13:42:54 martin Exp $"); /* * TODO: @@ -410,7 +410,7 @@ carp_setroute(struct carp_softc *sc, int ifatoia(ifa), CARP_COUNT_MASTER); if ((cmd == RTM_ADD && count != 1) || (cmd == RTM_DELETE && count != 0)) - continue; + goto next; } /* Remove the existing host route, if any */ @@ -485,6 +485,7 @@ carp_setroute(struct carp_softc *sc, int default: break; } + next: s = pserialize_read_enter(); ifa_release(ifa, ); }
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Wed Oct 17 13:38:04 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: ip_reass.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1045):
sys/netinet/ip_reass.c: revision 1.19-1.21
Hold ip_off and ip_len in the fragment entry, instead of always reading
the associated mbuf (and converting to host order). This reduces the
cache/TLB misses when processing long lists.
-
Kick fragments that would introduce several !MFFs in a reassembly chain.
The problem arises if we receive three fragments of the kind
3. A -> has MFF
1. B -> doesn't have MFF
2. C -> doesn't have MFF
Because of the received order B->C->A, we don't see that B is !MFF, and
therefore that there is a problem in this chain.
Now we do two checks, and drop us if:
* there is a fragment preceding us, and this fragment is !MFF, or
* there is a fragment following us, and we are !MFF
Spotted a long time ago.
-
Force ip_off to zero when the reassembly is complete. This was lost in my
rev1.19 - before that the IP struct was clobbered for the reassembly, but
it actually implicitly guaranteed that the first fragment of the packet
would end up with ip_off = 0, and this was a desired behavior.
To generate a diff of this commit:
cvs rdiff -u -r1.11.8.6 -r1.11.8.7 src/sys/netinet/ip_reass.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.11.8.6 src/sys/netinet/ip_reass.c:1.11.8.7
--- src/sys/netinet/ip_reass.c:1.11.8.6 Tue Oct 9 09:44:31 2018
+++ src/sys/netinet/ip_reass.c Wed Oct 17 13:38:04 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_reass.c,v 1.11.8.6 2018/10/09 09:44:31 martin Exp $ */
+/* $NetBSD: ip_reass.c,v 1.11.8.7 2018/10/17 13:38:04 martin Exp $ */
/*
* Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.6 2018/10/09 09:44:31 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.7 2018/10/17 13:38:04 martin Exp $");
#include
#include
@@ -80,6 +80,8 @@ typedef struct ipfr_qent {
struct ip * ipqe_ip;
struct mbuf * ipqe_m;
bool ipqe_mff;
+ uint16_t ipqe_off;
+ uint16_t ipqe_len;
} ipfr_qent_t;
TAILQ_HEAD(ipfr_qent_head, ipfr_qent);
@@ -215,7 +217,7 @@ ip_nmbclusters_changed(void)
struct mbuf *
ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t *fp, const u_int hash)
{
- struct ip *ip = ipqe->ipqe_ip, *qip;
+ struct ip *ip = ipqe->ipqe_ip;
const int hlen = ip->ip_hl << 2;
struct mbuf *m = ipqe->ipqe_m, *t;
int ipsecflags = m->m_flags & (M_DECRYPTED|M_AUTHIPHDR);
@@ -230,16 +232,6 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
m->m_data += hlen;
m->m_len -= hlen;
-#ifdef notyet
- /* Make sure fragment limit is up-to-date. */
- CHECK_NMBCLUSTER_PARAMS();
-
- /* If we have too many fragments, drop the older half. */
- if (ip_nfrags >= ip_maxfrags) {
- ip_reass_drophalf(void);
- }
-#endif
-
/*
* We are about to add a fragment; increment frag count.
*/
@@ -255,9 +247,9 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* never accept fragments b) if maxfrag is -1, accept
* all fragments without limitation.
*/
- if (ip_maxfragpackets < 0)
- ;
- else if (ip_nfragpackets >= ip_maxfragpackets) {
+ if (ip_maxfragpackets < 0) {
+ /* no limit */
+ } else if (ip_nfragpackets >= ip_maxfragpackets) {
goto dropfrag;
}
fp = malloc(sizeof(ipfr_queue_t), M_FTABLE, M_NOWAIT);
@@ -285,7 +277,7 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* Find a segment which begins after this one does.
*/
TAILQ_FOREACH(q, >ipq_fragq, ipqe_q) {
- if (ntohs(q->ipqe_ip->ip_off) > ntohs(ip->ip_off))
+ if (q->ipqe_off > ipqe->ipqe_off)
break;
}
if (q != NULL) {
@@ -295,39 +287,45 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
}
/*
- * If there is a preceding segment, it may provide some of our
- * data already. If so, drop the data from the incoming segment.
- * If it provides all of our data, drop us.
+ * Look at the preceding segment.
+ *
+ * If it provides some of our data already, in part or entirely, trim
+ * us or drop us.
+ *
+ * If a preceding segment exists, and was marked as the last segment,
+ * drop us.
*/
if (p != NULL) {
- i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
- ntohs(ip->ip_off);
+ i = p->ipqe_off + p->ipqe_len - ipqe->ipqe_off;
if (i > 0) {
- if (i >= ntohs(ip->ip_len)) {
+ if (i >= ipqe->ipqe_len) {
goto dropfrag;
}
m_adj(ipqe->ipqe_m, i);
- ip->ip_off = htons(ntohs(ip->ip_off) + i);
- ip->ip_len = htons(ntohs(ip->ip_len) - i);
+ ipqe->ipqe_off = ipqe->ipqe_off + i;
+ ipqe->ipqe_len = ipqe->ipqe_len - i;
}
}
+ if (p != NULL && !p->ipqe_mff) {
+ goto dropfrag;
+ }
/*
- * While we overlap succeeding segments trim them or, if they are
- * completely
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Wed Oct 17 13:38:04 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_reass.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1045): sys/netinet/ip_reass.c: revision 1.19-1.21 Hold ip_off and ip_len in the fragment entry, instead of always reading the associated mbuf (and converting to host order). This reduces the cache/TLB misses when processing long lists. - Kick fragments that would introduce several !MFFs in a reassembly chain. The problem arises if we receive three fragments of the kind 3. A -> has MFF 1. B -> doesn't have MFF 2. C -> doesn't have MFF Because of the received order B->C->A, we don't see that B is !MFF, and therefore that there is a problem in this chain. Now we do two checks, and drop us if: * there is a fragment preceding us, and this fragment is !MFF, or * there is a fragment following us, and we are !MFF Spotted a long time ago. - Force ip_off to zero when the reassembly is complete. This was lost in my rev1.19 - before that the IP struct was clobbered for the reassembly, but it actually implicitly guaranteed that the first fragment of the packet would end up with ip_off = 0, and this was a desired behavior. To generate a diff of this commit: cvs rdiff -u -r1.11.8.6 -r1.11.8.7 src/sys/netinet/ip_reass.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Tue Oct 9 09:44:31 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_reass.c Log Message: Back out the following from ticket #1045 by maxv: sys/netinet/ip_reass.c 1.19 Faster IPv4 packet reassembly - causes fallout, needs further investigation (see PR kern/53664) To generate a diff of this commit: cvs rdiff -u -r1.11.8.5 -r1.11.8.6 src/sys/netinet/ip_reass.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Tue Oct 9 09:44:31 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: ip_reass.c
Log Message:
Back out the following from ticket #1045 by maxv:
sys/netinet/ip_reass.c 1.19
Faster IPv4 packet reassembly - causes fallout, needs further investigation
(see PR kern/53664)
To generate a diff of this commit:
cvs rdiff -u -r1.11.8.5 -r1.11.8.6 src/sys/netinet/ip_reass.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.11.8.5 src/sys/netinet/ip_reass.c:1.11.8.6
--- src/sys/netinet/ip_reass.c:1.11.8.5 Wed Oct 3 17:53:56 2018
+++ src/sys/netinet/ip_reass.c Tue Oct 9 09:44:31 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_reass.c,v 1.11.8.5 2018/10/03 17:53:56 martin Exp $ */
+/* $NetBSD: ip_reass.c,v 1.11.8.6 2018/10/09 09:44:31 martin Exp $ */
/*
* Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.5 2018/10/03 17:53:56 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.6 2018/10/09 09:44:31 martin Exp $");
#include
#include
@@ -80,8 +80,6 @@ typedef struct ipfr_qent {
struct ip * ipqe_ip;
struct mbuf * ipqe_m;
bool ipqe_mff;
- uint16_t ipqe_off;
- uint16_t ipqe_len;
} ipfr_qent_t;
TAILQ_HEAD(ipfr_qent_head, ipfr_qent);
@@ -217,7 +215,7 @@ ip_nmbclusters_changed(void)
struct mbuf *
ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t *fp, const u_int hash)
{
- struct ip *ip = ipqe->ipqe_ip;
+ struct ip *ip = ipqe->ipqe_ip, *qip;
const int hlen = ip->ip_hl << 2;
struct mbuf *m = ipqe->ipqe_m, *t;
int ipsecflags = m->m_flags & (M_DECRYPTED|M_AUTHIPHDR);
@@ -232,6 +230,16 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
m->m_data += hlen;
m->m_len -= hlen;
+#ifdef notyet
+ /* Make sure fragment limit is up-to-date. */
+ CHECK_NMBCLUSTER_PARAMS();
+
+ /* If we have too many fragments, drop the older half. */
+ if (ip_nfrags >= ip_maxfrags) {
+ ip_reass_drophalf(void);
+ }
+#endif
+
/*
* We are about to add a fragment; increment frag count.
*/
@@ -247,9 +255,9 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* never accept fragments b) if maxfrag is -1, accept
* all fragments without limitation.
*/
- if (ip_maxfragpackets < 0) {
- /* no limit */
- } else if (ip_nfragpackets >= ip_maxfragpackets) {
+ if (ip_maxfragpackets < 0)
+ ;
+ else if (ip_nfragpackets >= ip_maxfragpackets) {
goto dropfrag;
}
fp = malloc(sizeof(ipfr_queue_t), M_FTABLE, M_NOWAIT);
@@ -277,7 +285,7 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* Find a segment which begins after this one does.
*/
TAILQ_FOREACH(q, >ipq_fragq, ipqe_q) {
- if (q->ipqe_off > ipqe->ipqe_off)
+ if (ntohs(q->ipqe_ip->ip_off) > ntohs(ip->ip_off))
break;
}
if (q != NULL) {
@@ -292,14 +300,15 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* If it provides all of our data, drop us.
*/
if (p != NULL) {
- i = p->ipqe_off + p->ipqe_len - ipqe->ipqe_off;
+ i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
+ ntohs(ip->ip_off);
if (i > 0) {
- if (i >= ipqe->ipqe_len) {
+ if (i >= ntohs(ip->ip_len)) {
goto dropfrag;
}
m_adj(ipqe->ipqe_m, i);
- ipqe->ipqe_off = ipqe->ipqe_off + i;
- ipqe->ipqe_len = ipqe->ipqe_len - i;
+ ip->ip_off = htons(ntohs(ip->ip_off) + i);
+ ip->ip_len = htons(ntohs(ip->ip_len) - i);
}
}
@@ -308,13 +317,17 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* completely covered, dequeue them.
*/
while (q != NULL) {
- i = ipqe->ipqe_off + ipqe->ipqe_len - q->ipqe_off;
- if (i <= 0) {
+ size_t end;
+
+ qip = q->ipqe_ip;
+ end = ntohs(ip->ip_off) + ntohs(ip->ip_len);
+ if (end <= ntohs(qip->ip_off)) {
break;
}
- if (i < q->ipqe_len) {
- q->ipqe_off = q->ipqe_off + i;
- q->ipqe_len = q->ipqe_len - i;
+ i = end - ntohs(qip->ip_off);
+ if (i < ntohs(qip->ip_len)) {
+ qip->ip_len = htons(ntohs(qip->ip_len) - i);
+ qip->ip_off = htons(ntohs(qip->ip_off) + i);
m_adj(q->ipqe_m, i);
break;
}
@@ -338,11 +351,12 @@ insert:
}
next = 0;
TAILQ_FOREACH(q, >ipq_fragq, ipqe_q) {
- if (q->ipqe_off != next) {
+ qip = q->ipqe_ip;
+ if (ntohs(qip->ip_off) != next) {
mutex_exit(_lock);
return NULL;
}
- next += q->ipqe_len;
+ next += ntohs(qip->ip_len);
}
p = TAILQ_LAST(>ipq_fragq, ipfr_qent_head);
if (p->ipqe_mff) {
@@ -637,6 +651,13 @@ ip_reass_packet(struct mbuf **m0, struct
return EINVAL;
}
+ /*
+ * Adjust total IP length to not reflect header and convert
+ * offset of this to bytes. XXX: clobbers struct ip.
+ */
+ ip->ip_len = htons(flen);
+ ip->ip_off = htons(off);
+
/* Look for queue of fragments of this datagram. */
mutex_enter(_lock);
hash = IPREASS_HASH(ip->ip_src.s_addr, ip->ip_id);
@@ -681,8 +702,6 @@ ip_reass_packet(struct mbuf **m0, struct
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Wed Oct 3 17:53:56 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: ip_reass.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1045):
sys/netinet/ip_reass.c: revision 1.19
Hold ip_off and ip_len in the fragment entry, instead of always reading
the associated mbuf (and converting to host order). This reduces the
cache/TLB misses when processing long lists.
To generate a diff of this commit:
cvs rdiff -u -r1.11.8.4 -r1.11.8.5 src/sys/netinet/ip_reass.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.11.8.4 src/sys/netinet/ip_reass.c:1.11.8.5
--- src/sys/netinet/ip_reass.c:1.11.8.4 Thu Sep 27 15:07:34 2018
+++ src/sys/netinet/ip_reass.c Wed Oct 3 17:53:56 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_reass.c,v 1.11.8.4 2018/09/27 15:07:34 martin Exp $ */
+/* $NetBSD: ip_reass.c,v 1.11.8.5 2018/10/03 17:53:56 martin Exp $ */
/*
* Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.4 2018/09/27 15:07:34 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.5 2018/10/03 17:53:56 martin Exp $");
#include
#include
@@ -80,6 +80,8 @@ typedef struct ipfr_qent {
struct ip * ipqe_ip;
struct mbuf * ipqe_m;
bool ipqe_mff;
+ uint16_t ipqe_off;
+ uint16_t ipqe_len;
} ipfr_qent_t;
TAILQ_HEAD(ipfr_qent_head, ipfr_qent);
@@ -215,7 +217,7 @@ ip_nmbclusters_changed(void)
struct mbuf *
ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t *fp, const u_int hash)
{
- struct ip *ip = ipqe->ipqe_ip, *qip;
+ struct ip *ip = ipqe->ipqe_ip;
const int hlen = ip->ip_hl << 2;
struct mbuf *m = ipqe->ipqe_m, *t;
int ipsecflags = m->m_flags & (M_DECRYPTED|M_AUTHIPHDR);
@@ -230,16 +232,6 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
m->m_data += hlen;
m->m_len -= hlen;
-#ifdef notyet
- /* Make sure fragment limit is up-to-date. */
- CHECK_NMBCLUSTER_PARAMS();
-
- /* If we have too many fragments, drop the older half. */
- if (ip_nfrags >= ip_maxfrags) {
- ip_reass_drophalf(void);
- }
-#endif
-
/*
* We are about to add a fragment; increment frag count.
*/
@@ -255,9 +247,9 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* never accept fragments b) if maxfrag is -1, accept
* all fragments without limitation.
*/
- if (ip_maxfragpackets < 0)
- ;
- else if (ip_nfragpackets >= ip_maxfragpackets) {
+ if (ip_maxfragpackets < 0) {
+ /* no limit */
+ } else if (ip_nfragpackets >= ip_maxfragpackets) {
goto dropfrag;
}
fp = malloc(sizeof(ipfr_queue_t), M_FTABLE, M_NOWAIT);
@@ -285,7 +277,7 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* Find a segment which begins after this one does.
*/
TAILQ_FOREACH(q, >ipq_fragq, ipqe_q) {
- if (ntohs(q->ipqe_ip->ip_off) > ntohs(ip->ip_off))
+ if (q->ipqe_off > ipqe->ipqe_off)
break;
}
if (q != NULL) {
@@ -300,15 +292,14 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* If it provides all of our data, drop us.
*/
if (p != NULL) {
- i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
- ntohs(ip->ip_off);
+ i = p->ipqe_off + p->ipqe_len - ipqe->ipqe_off;
if (i > 0) {
- if (i >= ntohs(ip->ip_len)) {
+ if (i >= ipqe->ipqe_len) {
goto dropfrag;
}
m_adj(ipqe->ipqe_m, i);
- ip->ip_off = htons(ntohs(ip->ip_off) + i);
- ip->ip_len = htons(ntohs(ip->ip_len) - i);
+ ipqe->ipqe_off = ipqe->ipqe_off + i;
+ ipqe->ipqe_len = ipqe->ipqe_len - i;
}
}
@@ -317,17 +308,13 @@ ip_reass(ipfr_qent_t *ipqe, ipfr_queue_t
* completely covered, dequeue them.
*/
while (q != NULL) {
- size_t end;
-
- qip = q->ipqe_ip;
- end = ntohs(ip->ip_off) + ntohs(ip->ip_len);
- if (end <= ntohs(qip->ip_off)) {
+ i = ipqe->ipqe_off + ipqe->ipqe_len - q->ipqe_off;
+ if (i <= 0) {
break;
}
- i = end - ntohs(qip->ip_off);
- if (i < ntohs(qip->ip_len)) {
- qip->ip_len = htons(ntohs(qip->ip_len) - i);
- qip->ip_off = htons(ntohs(qip->ip_off) + i);
+ if (i < q->ipqe_len) {
+ q->ipqe_off = q->ipqe_off + i;
+ q->ipqe_len = q->ipqe_len - i;
m_adj(q->ipqe_m, i);
break;
}
@@ -351,12 +338,11 @@ insert:
}
next = 0;
TAILQ_FOREACH(q, >ipq_fragq, ipqe_q) {
- qip = q->ipqe_ip;
- if (ntohs(qip->ip_off) != next) {
+ if (q->ipqe_off != next) {
mutex_exit(_lock);
return NULL;
}
- next += ntohs(qip->ip_len);
+ next += q->ipqe_len;
}
p = TAILQ_LAST(>ipq_fragq, ipfr_qent_head);
if (p->ipqe_mff) {
@@ -651,13 +637,6 @@ ip_reass_packet(struct mbuf **m0, struct
return EINVAL;
}
- /*
- * Adjust total IP length to not reflect header and convert
- * offset of this to bytes. XXX: clobbers struct ip.
- */
- ip->ip_len = htons(flen);
- ip->ip_off = htons(off);
-
/* Look for queue of fragments of this datagram. */
mutex_enter(_lock);
hash =
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Wed Oct 3 17:53:56 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_reass.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1045): sys/netinet/ip_reass.c: revision 1.19 Hold ip_off and ip_len in the fragment entry, instead of always reading the associated mbuf (and converting to host order). This reduces the cache/TLB misses when processing long lists. To generate a diff of this commit: cvs rdiff -u -r1.11.8.4 -r1.11.8.5 src/sys/netinet/ip_reass.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Thu Jun 7 16:05:09 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: udp_usrreq.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #837):
sys/netinet/udp_usrreq.c: revision 1.237
Fix three pretty bad mistakes in NAT-T:
* If we got a keepalive packet, we need to call m_freem, not m_free.
Here the next mbufs in the chain are not freed. Seems easy to remotely
DoS the system by sending fragmented keepalives in a loop.
* If !ipsec_used, free the mbuf.
* In udp_input, we need to update 'uh', because udp4_realinput may have
modified the chain. Perhaps we also need to re-enforce alignment, so
add an XXX.
To generate a diff of this commit:
cvs rdiff -u -r1.233.4.2 -r1.233.4.3 src/sys/netinet/udp_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/udp_usrreq.c
diff -u src/sys/netinet/udp_usrreq.c:1.233.4.2 src/sys/netinet/udp_usrreq.c:1.233.4.3
--- src/sys/netinet/udp_usrreq.c:1.233.4.2 Mon Apr 9 13:34:10 2018
+++ src/sys/netinet/udp_usrreq.c Thu Jun 7 16:05:09 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: udp_usrreq.c,v 1.233.4.2 2018/04/09 13:34:10 bouyer Exp $ */
+/* $NetBSD: udp_usrreq.c,v 1.233.4.3 2018/06/07 16:05:09 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -66,7 +66,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.233.4.2 2018/04/09 13:34:10 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.233.4.3 2018/06/07 16:05:09 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -410,7 +410,15 @@ udp_input(struct mbuf *m, ...)
*/
return;
}
+
ip = mtod(m, struct ip *);
+ IP6_EXTHDR_GET(uh, struct udphdr *, m, iphlen, sizeof(struct udphdr));
+ if (uh == NULL) {
+ UDP_STATINC(UDP_STAT_HDROPS);
+ return;
+ }
+ /* XXX Re-enforce alignment? */
+
#ifdef INET6
if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) {
struct sockaddr_in6 src6, dst6;
@@ -1287,7 +1295,7 @@ udp4_espinudp(struct mbuf **mp, int off,
/* Ignore keepalive packets */
if ((len == 1) && (*(unsigned char *)data == 0xff)) {
- m_free(m);
+ m_freem(m);
*mp = NULL; /* avoid any further processiong by caller ... */
return 1;
}
@@ -1368,7 +1376,8 @@ udp4_espinudp(struct mbuf **mp, int off,
if (ipsec_used)
ipsec4_common_input(m, iphdrlen, IPPROTO_ESP);
- /* XXX: else */
+ else
+ m_freem(m);
/* We handled it, it shouldn't be handled by UDP */
*mp = NULL; /* avoid free by caller ... */
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Thu Jun 7 16:05:09 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: udp_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #837): sys/netinet/udp_usrreq.c: revision 1.237 Fix three pretty bad mistakes in NAT-T: * If we got a keepalive packet, we need to call m_freem, not m_free. Here the next mbufs in the chain are not freed. Seems easy to remotely DoS the system by sending fragmented keepalives in a loop. * If !ipsec_used, free the mbuf. * In udp_input, we need to update 'uh', because udp4_realinput may have modified the chain. Perhaps we also need to re-enforce alignment, so add an XXX. To generate a diff of this commit: cvs rdiff -u -r1.233.4.2 -r1.233.4.3 src/sys/netinet/udp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Mon Apr 9 16:40:07 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_reass.c Log Message: Additionally pull up the following revision for ticket #668, requested by ozaki-r: sys/netinet/ip_reass.c 1.13 Change the error stat from IP_STAT_BADFRAGS to IP_STAT_TOOLONG. The ping_of_death ATF test expects this counter to get increased. To generate a diff of this commit: cvs rdiff -u -r1.11.8.2 -r1.11.8.3 src/sys/netinet/ip_reass.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Mon Apr 9 16:40:07 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: ip_reass.c
Log Message:
Additionally pull up the following revision for ticket #668,
requested by ozaki-r:
sys/netinet/ip_reass.c 1.13
Change the error stat from IP_STAT_BADFRAGS to IP_STAT_TOOLONG. The
ping_of_death ATF test expects this counter to get increased.
To generate a diff of this commit:
cvs rdiff -u -r1.11.8.2 -r1.11.8.3 src/sys/netinet/ip_reass.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.11.8.2 src/sys/netinet/ip_reass.c:1.11.8.3
--- src/sys/netinet/ip_reass.c:1.11.8.2 Thu Apr 5 14:33:41 2018
+++ src/sys/netinet/ip_reass.c Mon Apr 9 16:40:07 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_reass.c,v 1.11.8.2 2018/04/05 14:33:41 martin Exp $ */
+/* $NetBSD: ip_reass.c,v 1.11.8.3 2018/04/09 16:40:07 martin Exp $ */
/*
* Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.2 2018/04/05 14:33:41 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.3 2018/04/09 16:40:07 martin Exp $");
#include
#include
@@ -632,7 +632,7 @@ ip_reass_packet(struct mbuf **m0, struct
}
if (off + len > IP_MAXPACKET) {
- IP_STATINC(IP_STAT_BADFRAGS);
+ IP_STATINC(IP_STAT_TOOLONG);
return EINVAL;
}
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: snj
Date: Mon Apr 9 04:04:21 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: in.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #701):
sys/netinet/in.c: 1.228
Protect ip_dad_count with if NARP > 0 to fix compilation
To generate a diff of this commit:
cvs rdiff -u -r1.203.2.12 -r1.203.2.13 src/sys/netinet/in.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/in.c
diff -u src/sys/netinet/in.c:1.203.2.12 src/sys/netinet/in.c:1.203.2.13
--- src/sys/netinet/in.c:1.203.2.12 Sun Apr 8 06:09:12 2018
+++ src/sys/netinet/in.c Mon Apr 9 04:04:21 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: in.c,v 1.203.2.12 2018/04/08 06:09:12 snj Exp $ */
+/* $NetBSD: in.c,v 1.203.2.13 2018/04/09 04:04:21 snj Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: in.c,v 1.203.2.12 2018/04/08 06:09:12 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in.c,v 1.203.2.13 2018/04/09 04:04:21 snj Exp $");
#include "arp.h"
@@ -1150,7 +1150,11 @@ in_ifinit(struct ifnet *ifp, struct in_i
if (ifp->if_link_state == LINK_STATE_DOWN) {
ia->ia4_flags |= IN_IFF_DETACHED;
ia->ia4_flags &= ~IN_IFF_TENTATIVE;
- } else if (hostIsNew && if_do_dad(ifp) && ip_dad_count > 0)
+ } else if (hostIsNew && if_do_dad(ifp)
+#if NARP > 0
+ && ip_dad_count > 0
+#endif
+ )
ia->ia4_flags |= IN_IFF_TRYTENTATIVE;
/*
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Mon Apr 9 04:04:21 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: in.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #701): sys/netinet/in.c: 1.228 Protect ip_dad_count with if NARP > 0 to fix compilation To generate a diff of this commit: cvs rdiff -u -r1.203.2.12 -r1.203.2.13 src/sys/netinet/in.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Sat Mar 31 10:38:53 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_icmp.c Log Message: Pull up following revision(s) (requested by maxv in ticket #675): sys/netinet/ip_icmp.c: revision 1.168 Fix a possible buffer overflow in the IPv4 _ctlinput functions. In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area starting from 'icp' is contiguous. ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36 But the _ctlinput functions (eg udp_ctlinput) expect the area to be larger. These functions read at: (uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2) which can be crafted to be: (uint8_t *)icp + 68 So we end up reading 'icp+68' while the valid area ended at 'icp+36'. Having said that, it seems pretty complicated to trigger this bug; it would have to be a fragmented packet with half of the ICMP header in the first fragment, and we would need to have a driver that did not allocate a cluster for the first mbuf of the chain. The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it did guarantee that the ICMP header fit the chain, it did not guarantee that it fit 'm'. Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an error. Rebase the pointers afterwards. To generate a diff of this commit: cvs rdiff -u -r1.161 -r1.161.6.1 src/sys/netinet/ip_icmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Sat Mar 31 10:38:53 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: ip_icmp.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #675):
sys/netinet/ip_icmp.c: revision 1.168
Fix a possible buffer overflow in the IPv4 _ctlinput functions.
In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area
starting from 'icp' is contiguous.
ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36
But the _ctlinput functions (eg udp_ctlinput) expect the area to be
larger. These functions read at:
(uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2)
which can be crafted to be:
(uint8_t *)icp + 68
So we end up reading 'icp+68' while the valid area ended at 'icp+36'.
Having said that, it seems pretty complicated to trigger this bug; it
would have to be a fragmented packet with half of the ICMP header in the
first fragment, and we would need to have a driver that did not allocate
a cluster for the first mbuf of the chain.
The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it
did guarantee that the ICMP header fit the chain, it did not guarantee
that it fit 'm'.
Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an
error. Rebase the pointers afterwards.
To generate a diff of this commit:
cvs rdiff -u -r1.161 -r1.161.6.1 src/sys/netinet/ip_icmp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_icmp.c
diff -u src/sys/netinet/ip_icmp.c:1.161 src/sys/netinet/ip_icmp.c:1.161.6.1
--- src/sys/netinet/ip_icmp.c:1.161 Fri Mar 31 06:49:44 2017
+++ src/sys/netinet/ip_icmp.c Sat Mar 31 10:38:53 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_icmp.c,v 1.161 2017/03/31 06:49:44 ozaki-r Exp $ */
+/* $NetBSD: ip_icmp.c,v 1.161.6.1 2018/03/31 10:38:53 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -94,7 +94,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.161 2017/03/31 06:49:44 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.161.6.1 2018/03/31 10:38:53 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_ipsec.h"
@@ -541,6 +541,14 @@ _icmp_input(struct mbuf *m, int hlen, in
ICMP_STATINC(ICMP_STAT_BADLEN);
goto freeit;
}
+ if (m->m_len < hlen + ICMP_ADVLEN(icp)) {
+ m = m_pullup(m, hlen + ICMP_ADVLEN(icp));
+ if (m == NULL)
+goto freeit;
+ }
+ ip = mtod(m, struct ip *);
+ icp = (struct icmp *)(mtod(m, uint8_t *) + hlen);
+
if (IN_MULTICAST(icp->icmp_ip.ip_dst.s_addr))
goto badcode;
#ifdef ICMPPRINTFS
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Mar 30 11:17:19 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: tcp_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #662): sys/netinet/tcp_input.c: revision 1.383 (via patch) Revert rev1.183 (2003). It was intended as an optimization, but it increases the attack surface: the IPsec policy is not enforced on RST packets when the socket is in the LISTEN state, and an (unauthenticated) attacker could jam the connection between two IPsec hosts by sending RST packets between the client's SYN and ACK packets. Discussed with ozaki-r@. To generate a diff of this commit: cvs rdiff -u -r1.357.4.2 -r1.357.4.3 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Fri Mar 30 11:17:19 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: tcp_input.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #662):
sys/netinet/tcp_input.c: revision 1.383 (via patch)
Revert rev1.183 (2003).
It was intended as an optimization, but it increases the attack surface:
the IPsec policy is not enforced on RST packets when the socket is in the
LISTEN state, and an (unauthenticated) attacker could jam the connection
between two IPsec hosts by sending RST packets between the client's SYN
and ACK packets.
Discussed with ozaki-r@.
To generate a diff of this commit:
cvs rdiff -u -r1.357.4.2 -r1.357.4.3 src/sys/netinet/tcp_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.357.4.2 src/sys/netinet/tcp_input.c:1.357.4.3
--- src/sys/netinet/tcp_input.c:1.357.4.2 Sat Oct 21 19:43:54 2017
+++ src/sys/netinet/tcp_input.c Fri Mar 30 11:17:19 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.357.4.2 2017/10/21 19:43:54 snj Exp $ */
+/* $NetBSD: tcp_input.c,v 1.357.4.3 2018/03/30 11:17:19 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.2 2017/10/21 19:43:54 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.3 2018/03/30 11:17:19 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1475,16 +1475,12 @@ findpcb:
}
#if defined(IPSEC)
if (ipsec_used) {
- if (inp &&
- (inp->inp_socket->so_options & SO_ACCEPTCONN) == 0
- && ipsec4_in_reject(m, inp)) {
+ if (inp && ipsec4_in_reject(m, inp)) {
IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
goto drop;
}
#ifdef INET6
- else if (in6p &&
- (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0
- && ipsec6_in_reject(m, in6p)) {
+ else if (in6p && ipsec6_in_reject(m, in6p)) {
IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
goto drop;
}
@@ -1520,9 +1516,7 @@ findpcb:
goto dropwithreset_ratelim;
}
#if defined(IPSEC)
- if (ipsec_used && in6p
- && (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0
- && ipsec6_in_reject(m, in6p)) {
+ if (ipsec_used && in6p && ipsec6_in_reject(m, in6p)) {
IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
goto drop;
}
@@ -1830,39 +1824,6 @@ findpcb:
}
#endif
-#if defined(IPSEC)
-if (ipsec_used) {
- switch (af) {
-#ifdef INET
- case AF_INET:
- /*
- * inp can be NULL when
- * receiving an IPv4 packet on
- * an IPv4-mapped IPv6 address.
- */
- KASSERT(inp == NULL ||
- sotoinpcb(so) == inp);
- if (!ipsec4_in_reject(m, inp))
- break;
- IPSEC_STATINC(
- IPSEC_STAT_IN_POLVIO);
- tp = NULL;
- goto dropwithreset;
-#endif
-#ifdef INET6
- case AF_INET6:
- KASSERT(sotoin6pcb(so) == in6p);
- if (!ipsec6_in_reject(m, in6p))
- break;
- IPSEC6_STATINC(
- IPSEC_STAT_IN_POLVIO);
- tp = NULL;
- goto dropwithreset;
-#endif /*INET6*/
- }
-}
-#endif /*IPSEC*/
-
/*
* LISTEN socket received a SYN
* from itself? This can't possibly
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Mar 30 11:12:15 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_encap.c Log Message: Pull up following revision(s) (requested by maxv in ticket #661): sys/netinet/ip_encap.c: revision 1.67 Fix memory leak, found by Mootja. To generate a diff of this commit: cvs rdiff -u -r1.65.2.1 -r1.65.2.2 src/sys/netinet/ip_encap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Mar 30 11:12:15 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_encap.c Log Message: Pull up following revision(s) (requested by maxv in ticket #661): sys/netinet/ip_encap.c: revision 1.67 Fix memory leak, found by Mootja. To generate a diff of this commit: cvs rdiff -u -r1.65.2.1 -r1.65.2.2 src/sys/netinet/ip_encap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_encap.c diff -u src/sys/netinet/ip_encap.c:1.65.2.1 src/sys/netinet/ip_encap.c:1.65.2.2 --- src/sys/netinet/ip_encap.c:1.65.2.1 Sun Dec 10 09:41:31 2017 +++ src/sys/netinet/ip_encap.c Fri Mar 30 11:12:15 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_encap.c,v 1.65.2.1 2017/12/10 09:41:31 snj Exp $ */ +/* $NetBSD: ip_encap.c,v 1.65.2.2 2018/03/30 11:12:15 martin Exp $ */ /* $KAME: ip_encap.c,v 1.73 2001/10/02 08:30:58 itojun Exp $ */ /* @@ -68,7 +68,7 @@ #define USE_RADIX #include -__KERNEL_RCSID(0, "$NetBSD: ip_encap.c,v 1.65.2.1 2017/12/10 09:41:31 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_encap.c,v 1.65.2.2 2018/03/30 11:12:15 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_mrouting.h" @@ -822,7 +822,7 @@ encap_attach_func(int af, int proto, error = encap_add(ep); if (error) - goto fail; + goto gc; error = 0; #ifndef ENCAP_MPSAFE @@ -830,6 +830,8 @@ encap_attach_func(int af, int proto, #endif return ep; +gc: + kmem_free(ep, sizeof(*ep)); fail: #ifndef ENCAP_MPSAFE splx(s);
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Fri Mar 30 11:10:14 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: ip_reass.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #668):
sys/netinet/ip_reass.c: revision 1.12
Add one more check in ip_reass_packet(): make sure that the end of each
fragment does not exceed IP_MAXPACKET.
In ip_reass(), we only check the final length of the reassembled packet
against IP_MAXPACKET.
But there is an integer overflow that can happen a little earlier. We
are doing:
i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
ntohs(ip->ip_off);
[...]
ip->ip_off = htons(ntohs(ip->ip_off) + i);
It is possible that
ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) > 65535
so the computation of ip_off wraps to zero. This breaks an assumption in
the reassembler - it expects the list of fragments to be ordered by
offset, and here it's not ordered anymore. (Un)Fortunately I couldn't
turn this into anything exploitable.
With the new check, it is guaranteed that ip_off+ip_len<=65535.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.8.1 src/sys/netinet/ip_reass.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_reass.c
diff -u src/sys/netinet/ip_reass.c:1.11 src/sys/netinet/ip_reass.c:1.11.8.1
--- src/sys/netinet/ip_reass.c:1.11 Wed Jan 11 13:08:29 2017
+++ src/sys/netinet/ip_reass.c Fri Mar 30 11:10:14 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_reass.c,v 1.11 2017/01/11 13:08:29 ozaki-r Exp $ */
+/* $NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $ */
/*
* Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11 2017/01/11 13:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $");
#include
#include
@@ -629,6 +629,11 @@ ip_reass_packet(struct mbuf **m0, struct
return EINVAL;
}
+ if (off + len > IP_MAXPACKET) {
+ IP_STATINC(IP_STAT_BADFRAGS);
+ return EINVAL;
+ }
+
/*
* Fragment length and MF flag. Make sure that fragments have
* a data length which is non-zero and multiple of 8 bytes.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Mar 30 11:10:14 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_reass.c Log Message: Pull up following revision(s) (requested by maxv in ticket #668): sys/netinet/ip_reass.c: revision 1.12 Add one more check in ip_reass_packet(): make sure that the end of each fragment does not exceed IP_MAXPACKET. In ip_reass(), we only check the final length of the reassembled packet against IP_MAXPACKET. But there is an integer overflow that can happen a little earlier. We are doing: i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) - ntohs(ip->ip_off); [...] ip->ip_off = htons(ntohs(ip->ip_off) + i); It is possible that ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) > 65535 so the computation of ip_off wraps to zero. This breaks an assumption in the reassembler - it expects the list of fragments to be ordered by offset, and here it's not ordered anymore. (Un)Fortunately I couldn't turn this into anything exploitable. With the new check, it is guaranteed that ip_off+ip_len<=65535. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.11.8.1 src/sys/netinet/ip_reass.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Mon Feb 19 18:39:43 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #557): sys/netinet/ip_output.c: 1.295 Keep a pointer to the interface of the multicast membership, because the multicast element itself might go away in in_delmulti (but the interface can't because we hold the lock). From ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.279.2.5 -r1.279.2.6 src/sys/netinet/ip_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_output.c diff -u src/sys/netinet/ip_output.c:1.279.2.5 src/sys/netinet/ip_output.c:1.279.2.6 --- src/sys/netinet/ip_output.c:1.279.2.5 Sat Jan 13 21:52:06 2018 +++ src/sys/netinet/ip_output.c Mon Feb 19 18:39:43 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_output.c,v 1.279.2.5 2018/01/13 21:52:06 snj Exp $ */ +/* $NetBSD: ip_output.c,v 1.279.2.6 2018/02/19 18:39:43 snj Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.279.2.5 2018/01/13 21:52:06 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.279.2.6 2018/02/19 18:39:43 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -1836,9 +1836,10 @@ ip_drop_membership(struct ip_moptions *i * Give up the multicast address record to which the * membership points. */ - IFNET_LOCK(imo->imo_membership[i]->inm_ifp); + struct ifnet *inm_ifp = imo->imo_membership[i]->inm_ifp; + IFNET_LOCK(inm_ifp); in_delmulti(imo->imo_membership[i]); - IFNET_UNLOCK(imo->imo_membership[i]->inm_ifp); + IFNET_UNLOCK(inm_ifp); /* * Remove the gap in the membership array.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Mon Feb 19 18:39:43 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #557): sys/netinet/ip_output.c: 1.295 Keep a pointer to the interface of the multicast membership, because the multicast element itself might go away in in_delmulti (but the interface can't because we hold the lock). From ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.279.2.5 -r1.279.2.6 src/sys/netinet/ip_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Mon Feb 12 18:23:29 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #547): sys/netinet/ip_input.c: 1.366 Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.355.2.3 -r1.355.2.4 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Mon Feb 12 18:23:29 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #547): sys/netinet/ip_input.c: 1.366 Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.355.2.3 -r1.355.2.4 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_input.c diff -u src/sys/netinet/ip_input.c:1.355.2.3 src/sys/netinet/ip_input.c:1.355.2.4 --- src/sys/netinet/ip_input.c:1.355.2.3 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet/ip_input.c Mon Feb 12 18:23:29 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.355.2.3 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: ip_input.c,v 1.355.2.4 2018/02/12 18:23:29 snj Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.355.2.3 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.355.2.4 2018/02/12 18:23:29 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -162,10 +162,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v #define IPSENDREDIRECTS 1 #endif #ifndef IPFORWSRCRT -#define IPFORWSRCRT 1 /* forward source-routed packets */ +#define IPFORWSRCRT 0 /* forward source-routed packets */ #endif #ifndef IPALLOWSRCRT -#define IPALLOWSRCRT 1 /* allow source-routed packets */ +#define IPALLOWSRCRT 0 /* allow source-routed packets */ #endif #ifndef IPMTUDISC #define IPMTUDISC 1
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Sun Feb 11 21:46:25 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: in.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #539): sys/netinet/in.c: 1.217 Don't call lltable_purge_entries from in_if_down if ARP isn't enabled Reported by bouyer@ To generate a diff of this commit: cvs rdiff -u -r1.203.2.8 -r1.203.2.9 src/sys/netinet/in.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: snj
Date: Sun Feb 11 21:46:25 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: in.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #539):
sys/netinet/in.c: 1.217
Don't call lltable_purge_entries from in_if_down if ARP isn't enabled
Reported by bouyer@
To generate a diff of this commit:
cvs rdiff -u -r1.203.2.8 -r1.203.2.9 src/sys/netinet/in.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/in.c
diff -u src/sys/netinet/in.c:1.203.2.8 src/sys/netinet/in.c:1.203.2.9
--- src/sys/netinet/in.c:1.203.2.8 Sun Feb 11 21:17:34 2018
+++ src/sys/netinet/in.c Sun Feb 11 21:46:25 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: in.c,v 1.203.2.8 2018/02/11 21:17:34 snj Exp $ */
+/* $NetBSD: in.c,v 1.203.2.9 2018/02/11 21:46:25 snj Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: in.c,v 1.203.2.8 2018/02/11 21:17:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in.c,v 1.203.2.9 2018/02/11 21:46:25 snj Exp $");
#include "arp.h"
@@ -1539,7 +1539,9 @@ in_if_down(struct ifnet *ifp)
{
in_if_link_down(ifp);
+#if NARP > 0
lltable_purge_entries(LLTABLE(ifp));
+#endif
}
void
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: snj
Date: Sat Jan 13 21:52:07 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: ip_output.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #494):
sys/netinet/ip_output.c: revision 1.291-1.292
- this is not python, we need braces
- protect ifp locking against NULL
--
from ozaki-r: use the proper ifp.
XXX: perhaps push the lock in in_delmulti()?
To generate a diff of this commit:
cvs rdiff -u -r1.279.2.4 -r1.279.2.5 src/sys/netinet/ip_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_output.c
diff -u src/sys/netinet/ip_output.c:1.279.2.4 src/sys/netinet/ip_output.c:1.279.2.5
--- src/sys/netinet/ip_output.c:1.279.2.4 Tue Jan 2 10:56:58 2018
+++ src/sys/netinet/ip_output.c Sat Jan 13 21:52:06 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.279.2.4 2018/01/02 10:56:58 snj Exp $ */
+/* $NetBSD: ip_output.c,v 1.279.2.5 2018/01/13 21:52:06 snj Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.279.2.4 2018/01/02 10:56:58 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.279.2.5 2018/01/13 21:52:06 snj Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1806,13 +1806,14 @@ ip_drop_membership(struct ip_moptions *i
bound = curlwp_bind();
if (sopt->sopt_size == sizeof(struct ip_mreq))
error = ip_get_membership(sopt, , , , false);
- else
+ else {
#ifdef INET6
error = ip6_get_membership(sopt, , , , sizeof(ia));
#else
error = EINVAL;
goto out;
#endif
+ }
if (error)
goto out;
@@ -1835,9 +1836,9 @@ ip_drop_membership(struct ip_moptions *i
* Give up the multicast address record to which the
* membership points.
*/
- IFNET_LOCK(ifp);
+ IFNET_LOCK(imo->imo_membership[i]->inm_ifp);
in_delmulti(imo->imo_membership[i]);
- IFNET_UNLOCK(ifp);
+ IFNET_UNLOCK(imo->imo_membership[i]->inm_ifp);
/*
* Remove the gap in the membership array.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Sat Jan 13 21:52:07 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: ip_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #494): sys/netinet/ip_output.c: revision 1.291-1.292 - this is not python, we need braces - protect ifp locking against NULL -- from ozaki-r: use the proper ifp. XXX: perhaps push the lock in in_delmulti()? To generate a diff of this commit: cvs rdiff -u -r1.279.2.4 -r1.279.2.5 src/sys/netinet/ip_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: snj
Date: Sat Jan 13 05:45:06 UTC 2018
Modified Files:
src/sys/netinet [netbsd-8]: in.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #488):
sys/netinet/in.c: revision 1.213
Don't pass rwlock to callout_halt
To generate a diff of this commit:
cvs rdiff -u -r1.203.2.5 -r1.203.2.6 src/sys/netinet/in.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/in.c
diff -u src/sys/netinet/in.c:1.203.2.5 src/sys/netinet/in.c:1.203.2.6
--- src/sys/netinet/in.c:1.203.2.5 Tue Jan 2 10:56:58 2018
+++ src/sys/netinet/in.c Sat Jan 13 05:45:06 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: in.c,v 1.203.2.5 2018/01/02 10:56:58 snj Exp $ */
+/* $NetBSD: in.c,v 1.203.2.6 2018/01/13 05:45:06 snj Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: in.c,v 1.203.2.5 2018/01/02 10:56:58 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in.c,v 1.203.2.6 2018/01/13 05:45:06 snj Exp $");
#include "arp.h"
@@ -1953,6 +1953,7 @@ in_lltable_free_entry(struct lltable *ll
{
struct ifnet *ifp __diagused;
size_t pkts_dropped;
+ bool locked = false;
LLE_WLOCK_ASSERT(lle);
KASSERT(llt != NULL);
@@ -1962,15 +1963,32 @@ in_lltable_free_entry(struct lltable *ll
ifp = llt->llt_ifp;
IF_AFDATA_WLOCK_ASSERT(ifp);
lltable_unlink_entry(llt, lle);
+ locked = true;
}
+ /*
+ * We need to release the lock here to lle_timer proceeds;
+ * lle_timer should stop immediately if LLE_LINKED isn't set.
+ * Note that we cannot pass lle->lle_lock to callout_halt
+ * because it's a rwlock.
+ */
+ LLE_ADDREF(lle);
+ LLE_WUNLOCK(lle);
+ if (locked)
+ IF_AFDATA_WUNLOCK(ifp);
+
/* cancel timer */
- if (callout_halt(>lle_timer, >lle_lock))
- LLE_REMREF(lle);
+ callout_halt(>lle_timer, NULL);
+
+ LLE_WLOCK(lle);
+ LLE_REMREF(lle);
/* Drop hold queue */
pkts_dropped = llentry_free(lle);
arp_stat_add(ARP_STAT_DFRDROPPED, (uint64_t)pkts_dropped);
+
+ if (locked)
+ IF_AFDATA_WLOCK(ifp);
}
static int
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Sat Jan 13 05:45:06 UTC 2018 Modified Files: src/sys/netinet [netbsd-8]: in.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #488): sys/netinet/in.c: revision 1.213 Don't pass rwlock to callout_halt To generate a diff of this commit: cvs rdiff -u -r1.203.2.5 -r1.203.2.6 src/sys/netinet/in.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Fri Aug 25 05:36:17 UTC 2017 Modified Files: src/sys/netinet [netbsd-8]: tcp_usrreq.c Log Message: Pull up following revision(s) (requested by jdolecek in ticket #216): sys/netinet/tcp_usrreq.c: revision 1.216 add some more getsockopt(2) params To generate a diff of this commit: cvs rdiff -u -r1.214 -r1.214.6.1 src/sys/netinet/tcp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_usrreq.c diff -u src/sys/netinet/tcp_usrreq.c:1.214 src/sys/netinet/tcp_usrreq.c:1.214.6.1 --- src/sys/netinet/tcp_usrreq.c:1.214 Tue Jan 24 07:09:24 2017 +++ src/sys/netinet/tcp_usrreq.c Fri Aug 25 05:36:16 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_usrreq.c,v 1.214 2017/01/24 07:09:24 ozaki-r Exp $ */ +/* $NetBSD: tcp_usrreq.c,v 1.214.6.1 2017/08/25 05:36:16 snj Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.214 2017/01/24 07:09:24 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.214.6.1 2017/08/25 05:36:16 snj Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -464,17 +464,14 @@ tcp_ctloutput(int op, struct socket *so, #ifdef TCP_SIGNATURE case TCP_MD5SIG: optval = (tp->t_flags & TF_SIGNATURE) ? 1 : 0; - error = sockopt_set(sopt, , sizeof(optval)); - break; + goto setval; #endif case TCP_NODELAY: optval = tp->t_flags & TF_NODELAY; - error = sockopt_set(sopt, , sizeof(optval)); - break; + goto setval; case TCP_MAXSEG: optval = tp->t_peermss; - error = sockopt_set(sopt, , sizeof(optval)); - break; + goto setval; case TCP_INFO: tcp_fill_info(tp, ); error = sockopt_set(sopt, , sizeof ti); @@ -483,6 +480,19 @@ tcp_ctloutput(int op, struct socket *so, case TCP_CONGCTL: break; #endif + case TCP_KEEPIDLE: + optval = tp->t_keepidle; + goto setval; + case TCP_KEEPINTVL: + optval = tp->t_keepintvl; + goto setval; + case TCP_KEEPCNT: + optval = tp->t_keepcnt; + goto setval; + case TCP_KEEPINIT: + optval = tp->t_keepcnt; +setval: error = sockopt_set(sopt, , sizeof(optval)); + break; default: error = ENOPROTOOPT; break;
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: snj Date: Fri Aug 25 05:36:17 UTC 2017 Modified Files: src/sys/netinet [netbsd-8]: tcp_usrreq.c Log Message: Pull up following revision(s) (requested by jdolecek in ticket #216): sys/netinet/tcp_usrreq.c: revision 1.216 add some more getsockopt(2) params To generate a diff of this commit: cvs rdiff -u -r1.214 -r1.214.6.1 src/sys/netinet/tcp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src
Committed By: martin
Date: Fri Jul 7 09:23:01 UTC 2017
Modified Files:
src/sys/netinet [netbsd-8]: ip_output.c
Log Message:
Pull up following revision(s) (requested by roy in ticket #100):
sys/netinet/ip_output.c: revision 1.280
sys/netinet/ip_output.c: revision 1.282
When outputting, search for the sending address on the sending interface
rather than blindly picking the first matcing address from any interface
when testing source address validity.
This allows another interface to have the same address, but be detached.
Rename u to udst, .dst to .sa and .dst4 to sin.
Create sockaddr for the source address in usrc so it won't stamp on udst.
This fixes a regression caused in r1.280
To generate a diff of this commit:
cvs rdiff -u -r1.279 -r1.279.2.1 src/sys/netinet/ip_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_output.c
diff -u src/sys/netinet/ip_output.c:1.279 src/sys/netinet/ip_output.c:1.279.2.1
--- src/sys/netinet/ip_output.c:1.279 Fri May 12 17:53:54 2017
+++ src/sys/netinet/ip_output.c Fri Jul 7 09:23:01 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.279 2017/05/12 17:53:54 ryo Exp $ */
+/* $NetBSD: ip_output.c,v 1.279.2.1 2017/07/07 09:23:01 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.279 2017/05/12 17:53:54 ryo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.279.2.1 2017/07/07 09:23:01 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -236,18 +236,19 @@ ip_output(struct mbuf *m0, struct mbuf *
struct route iproute;
const struct sockaddr_in *dst;
struct in_ifaddr *ia = NULL;
+ struct ifaddr *ifa;
int isbroadcast;
int sw_csum;
u_long mtu;
bool natt_frag = false;
bool rtmtu_nolock;
union {
- struct sockaddr dst;
- struct sockaddr_in dst4;
- } u;
- struct sockaddr *rdst = /* real IP destination, as opposed
- * to the nexthop
- */
+ struct sockaddr sa;
+ struct sockaddr_in sin;
+ } udst, usrc;
+ struct sockaddr *rdst = /* real IP destination, as
+ * opposed to the nexthop
+ */
struct psref psref, psref_ia;
int bound;
bool bind_need_restore = false;
@@ -288,7 +289,7 @@ ip_output(struct mbuf *m0, struct mbuf *
memset(, 0, sizeof(iproute));
ro =
}
- sockaddr_in_init(, >ip_dst, 0);
+ sockaddr_in_init(, >ip_dst, 0);
dst = satocsin(rtcache_getdst(ro));
/*
@@ -303,8 +304,8 @@ ip_output(struct mbuf *m0, struct mbuf *
if ((rt = rtcache_validate(ro)) == NULL &&
(rt = rtcache_update(ro, 1)) == NULL) {
- dst =
- error = rtcache_setdst(ro, );
+ dst =
+ error = rtcache_setdst(ro, );
if (error != 0)
goto bad;
}
@@ -315,8 +316,6 @@ ip_output(struct mbuf *m0, struct mbuf *
* If routing to interface only, short circuit routing lookup.
*/
if (flags & IP_ROUTETOIF) {
- struct ifaddr *ifa;
-
ifa = ifa_ifwithladdr_psref(sintocsa(dst), _ia);
if (ifa == NULL) {
IP_STATINC(IP_STAT_NOROUTE);
@@ -448,7 +447,7 @@ ip_output(struct mbuf *m0, struct mbuf *
* on the outgoing interface, and the caller did not
* forbid loopback, loop back a copy.
*/
- ip_mloopback(ifp, m, );
+ ip_mloopback(ifp, m, );
}
#ifdef MROUTING
else {
@@ -612,7 +611,10 @@ sendit:
* validity
*/
KASSERT(ia == NULL);
- ia = in_get_ia_psref(ip->ip_src, _ia);
+ sockaddr_in_init(, >ip_src, 0);
+ ifa = ifaof_ifpforaddr_psref(, ifp, _ia);
+ if (ifa != NULL)
+ ia = ifatoia(ifa);
/*
* Ensure we only send from a valid address.
CVS commit: [netbsd-8] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Jul 7 09:23:01 UTC 2017 Modified Files: src/sys/netinet [netbsd-8]: ip_output.c Log Message: Pull up following revision(s) (requested by roy in ticket #100): sys/netinet/ip_output.c: revision 1.280 sys/netinet/ip_output.c: revision 1.282 When outputting, search for the sending address on the sending interface rather than blindly picking the first matcing address from any interface when testing source address validity. This allows another interface to have the same address, but be detached. Rename u to udst, .dst to .sa and .dst4 to sin. Create sockaddr for the source address in usrc so it won't stamp on udst. This fixes a regression caused in r1.280 To generate a diff of this commit: cvs rdiff -u -r1.279 -r1.279.2.1 src/sys/netinet/ip_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
