CVS commit: [netbsd-6-1] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Feb 9 14:11:21 UTC 2018 Modified Files: src/sys/netinet [netbsd-6-1]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1526): sys/netinet/ip_input.c: revision 1.366 Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.298 -r1.298.8.1 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_input.c diff -u src/sys/netinet/ip_input.c:1.298 src/sys/netinet/ip_input.c:1.298.8.1 --- src/sys/netinet/ip_input.c:1.298 Mon Jan 9 14:31:22 2012 +++ src/sys/netinet/ip_input.c Fri Feb 9 14:11:21 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $ */ +/* $NetBSD: ip_input.c,v 1.298.8.1 2018/02/09 14:11:21 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298 2012/01/09 14:31:22 liamjfoy Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.298.8.1 2018/02/09 14:11:21 martin Exp $"); #include "opt_inet.h" #include "opt_compat_netbsd.h" @@ -161,10 +161,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v #define IPSENDREDIRECTS 1 #endif #ifndef IPFORWSRCRT -#define IPFORWSRCRT 1 /* forward source-routed packets */ +#define IPFORWSRCRT 0 /* forward source-routed packets */ #endif #ifndef IPALLOWSRCRT -#define IPALLOWSRCRT 1 /* allow source-routed packets */ +#define IPALLOWSRCRT 0 /* allow source-routed packets */ #endif #ifndef IPMTUDISC #define IPMTUDISC 1
CVS commit: [netbsd-6-1] src/sys/netinet
Module Name:src Committed By: snj Date: Sun Feb 5 06:07:15 UTC 2017 Modified Files: src/sys/netinet [netbsd-6-1]: if_arp.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1432): sys/netinet/if_arp.c: 1.238, 1.239 via patch Make sure the protocol address length equals that of IPv4. Also, make sure the hardware address length equals that of the interface we received the packet on. Otherwise a packet could easily set them both to zero and make the kernel read beyond the allocated mbuf, which is terrible. Note: for the latter we drop the packet instead of replying, since it is malformed. Note: I also added an ugly hack in CARP, since it apparently expects at least six bytes. -- Add some checks, mostly same as in_arpinput. To generate a diff of this commit: cvs rdiff -u -r1.154.16.1 -r1.154.16.2 src/sys/netinet/if_arp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/if_arp.c diff -u src/sys/netinet/if_arp.c:1.154.16.1 src/sys/netinet/if_arp.c:1.154.16.2 --- src/sys/netinet/if_arp.c:1.154.16.1 Wed Jun 18 09:34:27 2014 +++ src/sys/netinet/if_arp.c Sun Feb 5 06:07:15 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: if_arp.c,v 1.154.16.1 2014/06/18 09:34:27 msaitoh Exp $ */ +/* $NetBSD: if_arp.c,v 1.154.16.2 2017/02/05 06:07:15 snj Exp $ */ /*- * Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc. @@ -68,7 +68,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.16.1 2014/06/18 09:34:27 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.16.2 2017/02/05 06:07:15 snj Exp $"); #include "opt_ddb.h" #include "opt_inet.h" @@ -974,6 +974,9 @@ in_arpinput(struct mbuf *m) break; } + if (ah->ar_pln != sizeof(struct in_addr)) + goto out; + memcpy(, ar_spa(ah), sizeof (isaddr)); memcpy(, ar_tpa(ah), sizeof (itaddr)); @@ -1004,7 +1007,10 @@ in_arpinput(struct mbuf *m) ((ia->ia_ifp->if_flags & (IFF_UP|IFF_RUNNING)) == (IFF_UP|IFF_RUNNING))) { index++; + + /* XXX: ar_hln? */ if (ia->ia_ifp == m->m_pkthdr.rcvif && + (ah->ar_hln >= 6) && carp_iamatch(ia, ar_sha(ah), , index)) { break; @@ -1036,6 +1042,14 @@ in_arpinput(struct mbuf *m) } #endif + if (ah->ar_hln != ifp->if_addrlen) { + ARP_STATINC(ARP_STAT_RCVBADLEN); + log(LOG_WARNING, + "arp from %s: addr len: new %d, i/f %d (ignored)\n", + in_fmtaddr(isaddr), ah->ar_hln, ifp->if_addrlen); + goto out; + } + if (ia == NULL) { INADDR_TO_IA(isaddr, ia); while ((ia != NULL) && ia->ia_ifp != m->m_pkthdr.rcvif) @@ -1130,14 +1144,7 @@ in_arpinput(struct mbuf *m) "arp from %s: new addr len %d, was %d\n", in_fmtaddr(isaddr), ah->ar_hln, sdl->sdl_alen); } - if (ifp->if_addrlen != ah->ar_hln) { - ARP_STATINC(ARP_STAT_RCVBADLEN); - log(LOG_WARNING, - "arp from %s: addr len: new %d, i/f %d (ignored)\n", - in_fmtaddr(isaddr), ah->ar_hln, - ifp->if_addrlen); - goto reply; - } + #if NTOKEN > 0 /* * XXX uses m_data and assumes the complete answer including @@ -1433,6 +1440,10 @@ in_revarpinput(struct mbuf *m) tha = ar_tha(ah); if (tha == NULL) goto out; + if (ah->ar_pln != sizeof(struct in_addr)) + goto out; + if (ah->ar_hln != ifp->if_sadl->sdl_alen) + goto out; if (memcmp(tha, CLLADDR(ifp->if_sadl), ifp->if_sadl->sdl_alen)) goto out; memcpy(_ip, ar_spa(ah), sizeof(srv_ip));
CVS commit: [netbsd-6-1] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Jul 24 07:36:05 UTC 2015 Modified Files: src/sys/netinet [netbsd-6-1]: tcp_input.c tcp_output.c Log Message: Pull up following revision(s) (requested by matt in ticket #1315): sys/netinet/tcp_output.c: revision 1.184 sys/netinet/tcp_input.c: revision 1.343 If we are sending a window probe and there's unacked data in the socket, make sure at least the persist timer is running. Make sure that snd_win doesn't go negative. To generate a diff of this commit: cvs rdiff -u -r1.321 -r1.321.8.1 src/sys/netinet/tcp_input.c cvs rdiff -u -r1.173.8.1 -r1.173.8.2 src/sys/netinet/tcp_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_input.c diff -u src/sys/netinet/tcp_input.c:1.321 src/sys/netinet/tcp_input.c:1.321.8.1 --- src/sys/netinet/tcp_input.c:1.321 Wed Jan 11 14:39:08 2012 +++ src/sys/netinet/tcp_input.c Fri Jul 24 07:36:05 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_input.c,v 1.321 2012/01/11 14:39:08 drochner Exp $ */ +/* $NetBSD: tcp_input.c,v 1.321.8.1 2015/07/24 07:36:05 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -148,7 +148,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: tcp_input.c,v 1.321 2012/01/11 14:39:08 drochner Exp $); +__KERNEL_RCSID(0, $NetBSD: tcp_input.c,v 1.321.8.1 2015/07/24 07:36:05 martin Exp $); #include opt_inet.h #include opt_ipsec.h @@ -2719,7 +2719,10 @@ after_listen: tp-t_lastm = NULL; sbdrop(so-so_snd, acked); tp-t_lastoff -= acked; - tp-snd_wnd -= acked; + if (tp-snd_wnd acked) +tp-snd_wnd -= acked; + else +tp-snd_wnd = 0; ourfinisacked = 0; } sowwakeup(so); Index: src/sys/netinet/tcp_output.c diff -u src/sys/netinet/tcp_output.c:1.173.8.1 src/sys/netinet/tcp_output.c:1.173.8.2 --- src/sys/netinet/tcp_output.c:1.173.8.1 Mon Nov 3 23:05:59 2014 +++ src/sys/netinet/tcp_output.c Fri Jul 24 07:36:05 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_output.c,v 1.173.8.1 2014/11/03 23:05:59 msaitoh Exp $ */ +/* $NetBSD: tcp_output.c,v 1.173.8.2 2015/07/24 07:36:05 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -135,7 +135,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.173.8.1 2014/11/03 23:05:59 msaitoh Exp $); +__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.173.8.2 2015/07/24 07:36:05 martin Exp $); #include opt_inet.h #include opt_ipsec.h @@ -1527,14 +1527,24 @@ send: * of retransmit time. */ timer: - if (TCP_TIMER_ISARMED(tp, TCPT_REXMT) == 0 - ((sack_rxmit tp-snd_nxt != tp-snd_max) || - tp-snd_nxt != tp-snd_una)) { - if (TCP_TIMER_ISARMED(tp, TCPT_PERSIST)) { -TCP_TIMER_DISARM(tp, TCPT_PERSIST); + if (TCP_TIMER_ISARMED(tp, TCPT_REXMT) == 0) { + if ((sack_rxmit tp-snd_nxt != tp-snd_max) + || tp-snd_nxt != tp-snd_una) { +if (TCP_TIMER_ISARMED(tp, TCPT_PERSIST)) { + TCP_TIMER_DISARM(tp, TCPT_PERSIST); + tp-t_rxtshift = 0; +} +TCP_TIMER_ARM(tp, TCPT_REXMT, tp-t_rxtcur); + } else if (len == 0 so-so_snd.sb_cc 0 + TCP_TIMER_ISARMED(tp, TCPT_PERSIST) == 0) { +/* + * If we are sending a window probe and there's + * unacked data in the socket, make sure at + * least the persist timer is running. + */ tp-t_rxtshift = 0; +tcp_setpersist(tp); } - TCP_TIMER_ARM(tp, TCPT_REXMT, tp-t_rxtcur); } } else if (SEQ_GT(tp-snd_nxt + len, tp-snd_max))
CVS commit: [netbsd-6-1] src/sys/netinet
Module Name:src Committed By: martin Date: Sat Feb 21 13:05:38 UTC 2015 Modified Files: src/sys/netinet [netbsd-6-1]: icmp_var.h ip_icmp.h Log Message: Pull up following revision(s) (requested by christos in ticket #1258): sys/netinet/icmp_var.h: revision 1.30 sys/netinet/ip_icmp.h: revision 1.34 PR/49676: Ryo Shimizu: ICMP_STATINC() buffer overflows To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.16.1 src/sys/netinet/icmp_var.h cvs rdiff -u -r1.33 -r1.33.16.1 src/sys/netinet/ip_icmp.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/icmp_var.h diff -u src/sys/netinet/icmp_var.h:1.29 src/sys/netinet/icmp_var.h:1.29.16.1 --- src/sys/netinet/icmp_var.h:1.29 Sat Dec 24 19:54:41 2011 +++ src/sys/netinet/icmp_var.h Sat Feb 21 13:05:38 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp_var.h,v 1.29 2011/12/24 19:54:41 christos Exp $ */ +/* $NetBSD: icmp_var.h,v 1.29.16.1 2015/02/21 13:05:38 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1993 @@ -56,8 +56,8 @@ #define ICMP_STAT_BMCASTTSTAMP 10 /* b/mcast tstamp requests dropped */ #define ICMP_STAT_LAST 16 /* Allow for 5 spare ones */ #define ICMP_STAT_OUTHIST ICMP_STAT_LAST -#define ICMP_STAT_INHIST (ICMP_STAT_LAST + ICMP_MAXTYPE) -#define ICMP_NSTATS (ICMP_STAT_LAST + 2 * ICMP_MAXTYPE) +#define ICMP_STAT_INHIST (ICMP_STAT_LAST + ICMP_NTYPES) +#define ICMP_NSTATS (ICMP_STAT_LAST + 2 * ICMP_NTYPES) /* * Names for ICMP sysctl objects Index: src/sys/netinet/ip_icmp.h diff -u src/sys/netinet/ip_icmp.h:1.33 src/sys/netinet/ip_icmp.h:1.33.16.1 --- src/sys/netinet/ip_icmp.h:1.33 Sat Dec 24 20:18:54 2011 +++ src/sys/netinet/ip_icmp.h Sat Feb 21 13:05:38 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_icmp.h,v 1.33 2011/12/24 20:18:54 christos Exp $ */ +/* $NetBSD: ip_icmp.h,v 1.33.16.1 2015/02/21 13:05:38 martin Exp $ */ /* * Copyright (c) 1982, 1986, 1993 @@ -189,6 +189,7 @@ struct icmp { #define ICMP_PHOTURIS_NEED_AUTHZ 5 /* no authorization */ #define ICMP_MAXTYPE 40 +#define ICMP_NTYPES (ICMP_MAXTYPE + 1) #ifdef ICMP_STRINGS static const char *icmp_type[] = {
CVS commit: [netbsd-6-1] src/sys/netinet
Module Name:src Committed By: msaitoh Date: Mon Nov 3 23:05:59 UTC 2014 Modified Files: src/sys/netinet [netbsd-6-1]: tcp_output.c Log Message: Pull up following revision(s) (requested by christos in ticket #1174): sys/netinet/tcp_output.c: revision 1.178 Avoid stack overflow when SACK and TCP_SIGNATURE are both present. Thanks to Jonathan Looney for pointing this out. To generate a diff of this commit: cvs rdiff -u -r1.173 -r1.173.8.1 src/sys/netinet/tcp_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_output.c diff -u src/sys/netinet/tcp_output.c:1.173 src/sys/netinet/tcp_output.c:1.173.8.1 --- src/sys/netinet/tcp_output.c:1.173 Sat Dec 31 20:41:59 2011 +++ src/sys/netinet/tcp_output.c Mon Nov 3 23:05:59 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_output.c,v 1.173 2011/12/31 20:41:59 christos Exp $ */ +/* $NetBSD: tcp_output.c,v 1.173.8.1 2014/11/03 23:05:59 msaitoh Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -135,7 +135,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.173 2011/12/31 20:41:59 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.173.8.1 2014/11/03 23:05:59 msaitoh Exp $); #include opt_inet.h #include opt_ipsec.h @@ -561,6 +561,7 @@ tcp_output(struct tcpcb *tp) #endif struct tcphdr *th; u_char opt[MAX_TCPOPTLEN]; +#define OPT_FITS(more) ((optlen + (more)) sizeof(opt)) unsigned optlen, hdrlen, packetlen; unsigned int sack_numblks; int idle, sendalot, txsegsize, rxsegsize; @@ -1127,7 +1128,7 @@ send: tp-snd_nxt = tp-iss; tp-t_ourmss = tcp_mss_to_advertise(synrt != NULL ? synrt-rt_ifp : NULL, af); - if ((tp-t_flags TF_NOOPT) == 0) { + if ((tp-t_flags TF_NOOPT) == 0 OPT_FITS(4)) { opt[0] = TCPOPT_MAXSEG; opt[1] = 4; opt[2] = (tp-t_ourmss 8) 0xff; @@ -1136,7 +1137,8 @@ send: if ((tp-t_flags TF_REQ_SCALE) ((flags TH_ACK) == 0 || - (tp-t_flags TF_RCVD_SCALE))) { + (tp-t_flags TF_RCVD_SCALE)) + OPT_FITS(4)) { *((u_int32_t *) (opt + optlen)) = htonl( TCPOPT_NOP 24 | TCPOPT_WINDOW 16 | @@ -1144,7 +1146,7 @@ send: tp-request_r_scale); optlen += 4; } - if (tcp_do_sack) { + if (tcp_do_sack OPT_FITS(4)) { u_int8_t *cp = (u_int8_t *)(opt + optlen); cp[0] = TCPOPT_SACK_PERMITTED; @@ -1164,7 +1166,7 @@ send: if ((tp-t_flags (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP (flags TH_RST) == 0 ((flags (TH_SYN|TH_ACK)) == TH_SYN || - (tp-t_flags TF_RCVD_TSTMP))) { + (tp-t_flags TF_RCVD_TSTMP)) OPT_FITS(TCPOLEN_TSTAMP_APPA)) { u_int32_t *lp = (u_int32_t *)(opt + optlen); /* Form timestamp option as shown in appendix A of RFC 1323. */ @@ -1188,30 +1190,33 @@ send: struct ipqent *tiqe; sack_len = sack_numblks * 8 + 2; - bp[0] = TCPOPT_NOP; - bp[1] = TCPOPT_NOP; - bp[2] = TCPOPT_SACK; - bp[3] = sack_len; - if ((tp-rcv_sack_flags TCPSACK_HAVED) != 0) { - sack_numblks--; - *lp++ = htonl(tp-rcv_dsack_block.left); - *lp++ = htonl(tp-rcv_dsack_block.right); - tp-rcv_sack_flags = ~TCPSACK_HAVED; - } - for (tiqe = TAILQ_FIRST(tp-timeq); - sack_numblks 0; tiqe = TAILQ_NEXT(tiqe, ipqe_timeq)) { - KASSERT(tiqe != NULL); - sack_numblks--; - *lp++ = htonl(tiqe-ipqe_seq); - *lp++ = htonl(tiqe-ipqe_seq + tiqe-ipqe_len + - ((tiqe-ipqe_flags TH_FIN) != 0 ? 1 : 0)); + if (OPT_FITS(sack_len + 2)) { + bp[0] = TCPOPT_NOP; + bp[1] = TCPOPT_NOP; + bp[2] = TCPOPT_SACK; + bp[3] = sack_len; + if ((tp-rcv_sack_flags TCPSACK_HAVED) != 0) { +sack_numblks--; +*lp++ = htonl(tp-rcv_dsack_block.left); +*lp++ = htonl(tp-rcv_dsack_block.right); +tp-rcv_sack_flags = ~TCPSACK_HAVED; + } + for (tiqe = TAILQ_FIRST(tp-timeq); + sack_numblks 0; + tiqe = TAILQ_NEXT(tiqe, ipqe_timeq)) { +KASSERT(tiqe != NULL); +sack_numblks--; +*lp++ = htonl(tiqe-ipqe_seq); +*lp++ = htonl(tiqe-ipqe_seq + tiqe-ipqe_len + +((tiqe-ipqe_flags TH_FIN) != 0 ? 1 : 0)); + } + optlen += sack_len + 2; } - optlen += sack_len + 2; } TCP_REASS_UNLOCK(tp); #ifdef TCP_SIGNATURE - if (tp-t_flags TF_SIGNATURE) { + if ((tp-t_flags TF_SIGNATURE) OPT_FITS(TCPOLEN_SIGNATURE + 2)) { u_char *bp; /* * Initialize TCP-MD5 option (RFC2385)
CVS commit: [netbsd-6-1] src/sys/netinet
Module Name:src Committed By: bouyer Date: Sun Oct 20 13:29:44 UTC 2013 Modified Files: src/sys/netinet [netbsd-6-1]: tcp_usrreq.c Log Message: Pull up following revision(s) (requested by spz in ticket #967): sys/netinet/tcp_usrreq.c: revision 1.168 PR/48098: Brian Marcotte: Avoid kernel assertion for embryonic sockets that don't have credentials yet. XXX: pullup-6 To generate a diff of this commit: cvs rdiff -u -r1.162.2.1 -r1.162.2.1.6.1 src/sys/netinet/tcp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_usrreq.c diff -u src/sys/netinet/tcp_usrreq.c:1.162.2.1 src/sys/netinet/tcp_usrreq.c:1.162.2.1.6.1 --- src/sys/netinet/tcp_usrreq.c:1.162.2.1 Sat Mar 17 19:51:45 2012 +++ src/sys/netinet/tcp_usrreq.c Sun Oct 20 13:29:44 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_usrreq.c,v 1.162.2.1 2012/03/17 19:51:45 bouyer Exp $ */ +/* $NetBSD: tcp_usrreq.c,v 1.162.2.1.6.1 2013/10/20 13:29:44 bouyer Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -95,7 +95,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: tcp_usrreq.c,v 1.162.2.1 2012/03/17 19:51:45 bouyer Exp $); +__KERNEL_RCSID(0, $NetBSD: tcp_usrreq.c,v 1.162.2.1.6.1 2013/10/20 13:29:44 bouyer Exp $); #include opt_inet.h #include opt_ipsec.h @@ -1168,18 +1168,20 @@ sysctl_net_inet_ip_ports(SYSCTLFN_ARGS) static inline int copyout_uid(struct socket *sockp, void *oldp, size_t *oldlenp) { - size_t sz; - int error; - uid_t uid; - - uid = kauth_cred_geteuid(sockp-so_cred); if (oldp) { + size_t sz; + uid_t uid; + int error; + + if (sockp-so_cred == NULL) + return EPERM; + + uid = kauth_cred_geteuid(sockp-so_cred); sz = MIN(sizeof(uid), *oldlenp); - error = copyout(uid, oldp, sz); - if (error) + if ((error = copyout(uid, oldp, sz)) != 0) return error; } - *oldlenp = sizeof(uid); + *oldlenp = sizeof(uid_t); return 0; }