CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: martin
Date: Wed Jun 6 09:48:50 UTC 2018
Modified Files:
src/sys/netinet [netbsd-7]: udp_usrreq.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1607):
sys/netinet/udp_usrreq.c: revision 1.237 (via patch)
Fix three pretty bad mistakes in NAT-T:
* If we got a keepalive packet, we need to call m_freem, not m_free.
Here the next mbufs in the chain are not freed. Seems easy to remotely
DoS the system by sending fragmented keepalives in a loop.
* If !ipsec_used, free the mbuf.
* In udp_input, we need to update 'uh', because udp4_realinput may have
modified the chain. Perhaps we also need to re-enforce alignment, so
add an XXX.
To generate a diff of this commit:
cvs rdiff -u -r1.217 -r1.217.2.1 src/sys/netinet/udp_usrreq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/udp_usrreq.c
diff -u src/sys/netinet/udp_usrreq.c:1.217 src/sys/netinet/udp_usrreq.c:1.217.2.1
--- src/sys/netinet/udp_usrreq.c:1.217 Sat Aug 9 05:33:01 2014
+++ src/sys/netinet/udp_usrreq.c Wed Jun 6 09:48:50 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: udp_usrreq.c,v 1.217 2014/08/09 05:33:01 rtr Exp $ */
+/* $NetBSD: udp_usrreq.c,v 1.217.2.1 2018/06/06 09:48:50 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -66,7 +66,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.217 2014/08/09 05:33:01 rtr Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.217.2.1 2018/06/06 09:48:50 martin Exp $");
#include "opt_inet.h"
#include "opt_compat_netbsd.h"
@@ -395,7 +395,15 @@ udp_input(struct mbuf *m, ...)
*/
return;
}
+
ip = mtod(m, struct ip *);
+ IP6_EXTHDR_GET(uh, struct udphdr *, m, iphlen, sizeof(struct udphdr));
+ if (uh == NULL) {
+ UDP_STATINC(UDP_STAT_HDROPS);
+ return;
+ }
+ /* XXX Re-enforce alignment? */
+
#ifdef INET6
if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) {
struct sockaddr_in6 src6, dst6;
@@ -1301,7 +1309,7 @@ udp4_espinudp(struct mbuf **mp, int off,
/* Ignore keepalive packets */
if ((len == 1) && (*(unsigned char *)data == 0xff)) {
- m_free(m);
+ m_freem(m);
*mp = NULL; /* avoid any further processiong by caller ... */
return 1;
}
@@ -1383,7 +1391,8 @@ udp4_espinudp(struct mbuf **mp, int off,
#ifdef IPSEC
if (ipsec_used)
ipsec4_common_input(m, iphdrlen, IPPROTO_ESP);
- /* XXX: else */
+ else
+ m_freem(m);
#else
esp4_input(m, iphdrlen);
#endif
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Wed Jun 6 09:48:50 UTC 2018 Modified Files: src/sys/netinet [netbsd-7]: udp_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1607): sys/netinet/udp_usrreq.c: revision 1.237 (via patch) Fix three pretty bad mistakes in NAT-T: * If we got a keepalive packet, we need to call m_freem, not m_free. Here the next mbufs in the chain are not freed. Seems easy to remotely DoS the system by sending fragmented keepalives in a loop. * If !ipsec_used, free the mbuf. * In udp_input, we need to update 'uh', because udp4_realinput may have modified the chain. Perhaps we also need to re-enforce alignment, so add an XXX. To generate a diff of this commit: cvs rdiff -u -r1.217 -r1.217.2.1 src/sys/netinet/udp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Feb 9 13:37:09 UTC 2018 Modified Files: src/sys/netinet [netbsd-7]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1563): sys/netinet/ip_input.c: revision 1.366 (via patch) Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.319 -r1.319.2.1 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_input.c diff -u src/sys/netinet/ip_input.c:1.319 src/sys/netinet/ip_input.c:1.319.2.1 --- src/sys/netinet/ip_input.c:1.319 Mon Jun 16 00:33:39 2014 +++ src/sys/netinet/ip_input.c Fri Feb 9 13:37:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.319 2014/06/16 00:33:39 ozaki-r Exp $ */ +/* $NetBSD: ip_input.c,v 1.319.2.1 2018/02/09 13:37:09 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.319 2014/06/16 00:33:39 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.319.2.1 2018/02/09 13:37:09 martin Exp $"); #include "opt_inet.h" #include "opt_compat_netbsd.h" @@ -157,10 +157,10 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v #define IPSENDREDIRECTS 1 #endif #ifndef IPFORWSRCRT -#define IPFORWSRCRT 1 /* forward source-routed packets */ +#define IPFORWSRCRT 0 /* forward source-routed packets */ #endif #ifndef IPALLOWSRCRT -#define IPALLOWSRCRT 1 /* allow source-routed packets */ +#define IPALLOWSRCRT 0 /* allow source-routed packets */ #endif #ifndef IPMTUDISC #define IPMTUDISC 1
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Feb 9 13:37:09 UTC 2018 Modified Files: src/sys/netinet [netbsd-7]: ip_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1563): sys/netinet/ip_input.c: revision 1.366 (via patch) Disable ip_allowsrcrt and ip_forwsrcrt. Enabling them by default was a completely dumb idea, because they have security implications. By sending an IPv4 packet containing an LSRR option, an attacker will cause the system to forward the packet to another IPv4 address - and this way he white-washes the source of the packet. It is also possible for an attacker to reach hidden networks: if a server has a public address, and a private one on an internal network (network which has several internal machines connected), the attacker can send a packet with: source = 0.0.0.0 destination = public address of the server LSRR first address = address of a machine on the internal network And the packet will be forwarded, by the server, to the internal machine, in some cases even with the internal IP address of the server as a source. To generate a diff of this commit: cvs rdiff -u -r1.319 -r1.319.2.1 src/sys/netinet/ip_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: snj Date: Mon Sep 11 05:46:44 UTC 2017 Modified Files: src/sys/netinet [netbsd-7]: tcp_usrreq.c Log Message: Pull up following revision(s) (requested by jdolecek in ticket #1498): sys/netinet/tcp_usrreq.c: revision 1.216 add some more getsockopt(2) params To generate a diff of this commit: cvs rdiff -u -r1.200.2.2 -r1.200.2.3 src/sys/netinet/tcp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: snj Date: Mon Sep 11 05:46:44 UTC 2017 Modified Files: src/sys/netinet [netbsd-7]: tcp_usrreq.c Log Message: Pull up following revision(s) (requested by jdolecek in ticket #1498): sys/netinet/tcp_usrreq.c: revision 1.216 add some more getsockopt(2) params To generate a diff of this commit: cvs rdiff -u -r1.200.2.2 -r1.200.2.3 src/sys/netinet/tcp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_usrreq.c diff -u src/sys/netinet/tcp_usrreq.c:1.200.2.2 src/sys/netinet/tcp_usrreq.c:1.200.2.3 --- src/sys/netinet/tcp_usrreq.c:1.200.2.2 Sat Feb 21 13:40:19 2015 +++ src/sys/netinet/tcp_usrreq.c Mon Sep 11 05:46:43 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_usrreq.c,v 1.200.2.2 2015/02/21 13:40:19 martin Exp $ */ +/* $NetBSD: tcp_usrreq.c,v 1.200.2.3 2017/09/11 05:46:43 snj Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -99,7 +99,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.200.2.2 2015/02/21 13:40:19 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.200.2.3 2017/09/11 05:46:43 snj Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -500,17 +500,14 @@ tcp_ctloutput(int op, struct socket *so, #ifdef TCP_SIGNATURE case TCP_MD5SIG: optval = (tp->t_flags & TF_SIGNATURE) ? 1 : 0; - error = sockopt_set(sopt, , sizeof(optval)); - break; + goto setval; #endif case TCP_NODELAY: optval = tp->t_flags & TF_NODELAY; - error = sockopt_set(sopt, , sizeof(optval)); - break; + goto setval; case TCP_MAXSEG: optval = tp->t_peermss; - error = sockopt_set(sopt, , sizeof(optval)); - break; + goto setval; case TCP_INFO: tcp_fill_info(tp, ); error = sockopt_set(sopt, , sizeof ti); @@ -519,6 +516,19 @@ tcp_ctloutput(int op, struct socket *so, case TCP_CONGCTL: break; #endif + case TCP_KEEPIDLE: + optval = tp->t_keepidle; + goto setval; + case TCP_KEEPINTVL: + optval = tp->t_keepintvl; + goto setval; + case TCP_KEEPCNT: + optval = tp->t_keepcnt; + goto setval; + case TCP_KEEPINIT: + optval = tp->t_keepcnt; +setval: error = sockopt_set(sopt, , sizeof(optval)); + break; default: error = ENOPROTOOPT; break;
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: sborrill Date: Fri May 12 10:48:11 UTC 2017 Modified Files: src/sys/netinet [netbsd-7]: ip_carp.c Log Message: Pull up the following revisions(s) (requested by roy in ticket #1420): sys/netinet/ip_carp.c: revision 1.88 carp should call if_link_state_change instead of affecting if_link_state directly. To generate a diff of this commit: cvs rdiff -u -r1.59.2.4 -r1.59.2.5 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: sborrill
Date: Fri May 12 10:48:11 UTC 2017
Modified Files:
src/sys/netinet [netbsd-7]: ip_carp.c
Log Message:
Pull up the following revisions(s) (requested by roy in ticket #1420):
sys/netinet/ip_carp.c: revision 1.88
carp should call if_link_state_change instead of affecting
if_link_state directly.
To generate a diff of this commit:
cvs rdiff -u -r1.59.2.4 -r1.59.2.5 src/sys/netinet/ip_carp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_carp.c
diff -u src/sys/netinet/ip_carp.c:1.59.2.4 src/sys/netinet/ip_carp.c:1.59.2.5
--- src/sys/netinet/ip_carp.c:1.59.2.4 Sat Aug 27 04:29:41 2016
+++ src/sys/netinet/ip_carp.c Fri May 12 10:48:11 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_carp.c,v 1.59.2.4 2016/08/27 04:29:41 snj Exp $ */
+/* $NetBSD: ip_carp.c,v 1.59.2.5 2017/05/12 10:48:11 sborrill Exp $ */
/* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */
/*
@@ -31,7 +31,7 @@
#include "opt_mbuftrace.h"
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.4 2016/08/27 04:29:41 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.5 2017/05/12 10:48:11 sborrill Exp $");
/*
* TODO:
@@ -2127,6 +2127,8 @@ static void
carp_set_state(struct carp_softc *sc, int state)
{
static const char *carp_states[] = { CARP_STATES };
+ int link_state;
+
if (sc->sc_state == state)
return;
@@ -2135,16 +2137,16 @@ carp_set_state(struct carp_softc *sc, in
sc->sc_state = state;
switch (state) {
case BACKUP:
- sc->sc_if.if_link_state = LINK_STATE_DOWN;
+ link_state = LINK_STATE_DOWN;
break;
case MASTER:
- sc->sc_if.if_link_state = LINK_STATE_UP;
+ link_state = LINK_STATE_UP;
break;
default:
- sc->sc_if.if_link_state = LINK_STATE_UNKNOWN;
+ link_state = LINK_STATE_UNKNOWN;
break;
}
- rt_ifmsg(>sc_if);
+ if_link_state_change(>sc_if, link_state);
}
void
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: snj Date: Sun Feb 5 19:20:23 UTC 2017 Modified Files: src/sys/netinet [netbsd-7]: if_arp.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1356): sys/netinet/if_arp.c: revision 1.238, 1.239 via patch Make sure the protocol address length equals that of IPv4. Also, make sure the hardware address length equals that of the interface we received the packet on. Otherwise a packet could easily set them both to zero and make the kernel read beyond the allocated mbuf, which is terrible. Note: for the latter we drop the packet instead of replying, since it is malformed. Note: I also added an ugly hack in CARP, since it apparently expects at least six bytes. -- Add some checks, mostly same as in_arpinput. To generate a diff of this commit: cvs rdiff -u -r1.158.2.1 -r1.158.2.2 src/sys/netinet/if_arp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: snj
Date: Sun Feb 5 19:20:23 UTC 2017
Modified Files:
src/sys/netinet [netbsd-7]: if_arp.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1356):
sys/netinet/if_arp.c: revision 1.238, 1.239 via patch
Make sure the protocol address length equals that of IPv4. Also, make sure
the hardware address length equals that of the interface we received the
packet on. Otherwise a packet could easily set them both to zero and make
the kernel read beyond the allocated mbuf, which is terrible.
Note: for the latter we drop the packet instead of replying, since it is
malformed.
Note: I also added an ugly hack in CARP, since it apparently expects at
least six bytes.
--
Add some checks, mostly same as in_arpinput.
To generate a diff of this commit:
cvs rdiff -u -r1.158.2.1 -r1.158.2.2 src/sys/netinet/if_arp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/if_arp.c
diff -u src/sys/netinet/if_arp.c:1.158.2.1 src/sys/netinet/if_arp.c:1.158.2.2
--- src/sys/netinet/if_arp.c:1.158.2.1 Fri Nov 6 00:46:50 2015
+++ src/sys/netinet/if_arp.c Sun Feb 5 19:20:22 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: if_arp.c,v 1.158.2.1 2015/11/06 00:46:50 riz Exp $ */
+/* $NetBSD: if_arp.c,v 1.158.2.2 2017/02/05 19:20:22 snj Exp $ */
/*-
* Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.158.2.1 2015/11/06 00:46:50 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.158.2.2 2017/02/05 19:20:22 snj Exp $");
#include "opt_ddb.h"
#include "opt_inet.h"
@@ -974,6 +974,9 @@ in_arpinput(struct mbuf *m)
break;
}
+ if (ah->ar_pln != sizeof(struct in_addr))
+ goto out;
+
memcpy(, ar_spa(ah), sizeof (isaddr));
memcpy(, ar_tpa(ah), sizeof (itaddr));
@@ -1004,7 +1007,10 @@ in_arpinput(struct mbuf *m)
((ia->ia_ifp->if_flags & (IFF_UP|IFF_RUNNING)) ==
(IFF_UP|IFF_RUNNING))) {
index++;
+
+ /* XXX: ar_hln? */
if (ia->ia_ifp == m->m_pkthdr.rcvif &&
+ (ah->ar_hln >= 6) &&
carp_iamatch(ia, ar_sha(ah),
, index)) {
break;
@@ -1036,6 +1042,14 @@ in_arpinput(struct mbuf *m)
}
#endif
+ if (ah->ar_hln != ifp->if_addrlen) {
+ ARP_STATINC(ARP_STAT_RCVBADLEN);
+ log(LOG_WARNING,
+ "arp from %s: addr len: new %d, i/f %d (ignored)\n",
+ in_fmtaddr(isaddr), ah->ar_hln, ifp->if_addrlen);
+ goto out;
+ }
+
if (ia == NULL) {
INADDR_TO_IA(isaddr, ia);
while ((ia != NULL) && ia->ia_ifp != m->m_pkthdr.rcvif)
@@ -1130,14 +1144,7 @@ in_arpinput(struct mbuf *m)
"arp from %s: new addr len %d, was %d\n",
in_fmtaddr(isaddr), ah->ar_hln, sdl->sdl_alen);
}
- if (ifp->if_addrlen != ah->ar_hln) {
- ARP_STATINC(ARP_STAT_RCVBADLEN);
- log(LOG_WARNING,
- "arp from %s: addr len: new %d, i/f %d (ignored)\n",
- in_fmtaddr(isaddr), ah->ar_hln,
- ifp->if_addrlen);
- goto reply;
- }
+
#if NTOKEN > 0
/*
* XXX uses m_data and assumes the complete answer including
@@ -1436,6 +1443,10 @@ in_revarpinput(struct mbuf *m)
tha = ar_tha(ah);
if (tha == NULL)
goto out;
+ if (ah->ar_pln != sizeof(struct in_addr))
+ goto out;
+ if (ah->ar_hln != ifp->if_sadl->sdl_alen)
+ goto out;
if (memcmp(tha, CLLADDR(ifp->if_sadl), ifp->if_sadl->sdl_alen))
goto out;
memcpy(_ip, ar_spa(ah), sizeof(srv_ip));
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: martin
Date: Thu Jan 5 08:08:46 UTC 2017
Modified Files:
src/sys/netinet [netbsd-7]: tcp_congctl.c
Log Message:
Pull up following revision(s) (requested by skrll in ticket #1347):
sys/netinet/tcp_congctl.c: revision 1.23
Restore behaviour to pre- tcp_congctl.c:1.18 for SACK. Further analysis
of the change is required.
OK kefren@
PR/51753 tcp SACK causes SSH disconnect
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.4.1 src/sys/netinet/tcp_congctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_congctl.c
diff -u src/sys/netinet/tcp_congctl.c:1.19 src/sys/netinet/tcp_congctl.c:1.19.4.1
--- src/sys/netinet/tcp_congctl.c:1.19 Mon Nov 18 11:48:34 2013
+++ src/sys/netinet/tcp_congctl.c Thu Jan 5 08:08:46 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_congctl.c,v 1.19 2013/11/18 11:48:34 kefren Exp $ */
+/* $NetBSD: tcp_congctl.c,v 1.19.4.1 2017/01/05 08:08:46 martin Exp $ */
/*-
* Copyright (c) 1997, 1998, 1999, 2001, 2005, 2006 The NetBSD Foundation, Inc.
@@ -135,7 +135,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: tcp_congctl.c,v 1.19 2013/11/18 11:48:34 kefren Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_congctl.c,v 1.19.4.1 2017/01/05 08:08:46 martin Exp $");
#include "opt_inet.h"
#include "opt_tcp_debug.h"
@@ -707,7 +707,6 @@ tcp_newreno_fast_retransmit_newack(struc
tp->t_partialacks++;
TCP_TIMER_DISARM(tp, TCPT_REXMT);
tp->t_rtttime = 0;
- tp->snd_nxt = th->th_ack;
if (TCP_SACK_ENABLED(tp)) {
/*
@@ -734,6 +733,7 @@ tcp_newreno_fast_retransmit_newack(struc
tp->t_flags |= TF_ACKNOW;
(void) tcp_output(tp);
} else {
+ tp->snd_nxt = th->th_ack;
/*
* Set snd_cwnd to one segment beyond ACK'd offset
* snd_una is not yet updated when we're called
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Thu Jan 5 08:08:46 UTC 2017 Modified Files: src/sys/netinet [netbsd-7]: tcp_congctl.c Log Message: Pull up following revision(s) (requested by skrll in ticket #1347): sys/netinet/tcp_congctl.c: revision 1.23 Restore behaviour to pre- tcp_congctl.c:1.18 for SACK. Further analysis of the change is required. OK kefren@ PR/51753 tcp SACK causes SSH disconnect To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.4.1 src/sys/netinet/tcp_congctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: snj
Date: Sat Aug 27 04:29:41 UTC 2016
Modified Files:
src/sys/netinet [netbsd-7]: ip_carp.c
Log Message:
Pull up following revision(s) (requested by is in ticket #1209):
sys/netinet/ip_carp.c: revision 1.76
Print the IPv6 or IPv4 source addresses of packets with wrong hash, to
help debugging.
To generate a diff of this commit:
cvs rdiff -u -r1.59.2.3 -r1.59.2.4 src/sys/netinet/ip_carp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_carp.c
diff -u src/sys/netinet/ip_carp.c:1.59.2.3 src/sys/netinet/ip_carp.c:1.59.2.4
--- src/sys/netinet/ip_carp.c:1.59.2.3 Sat Aug 27 04:25:50 2016
+++ src/sys/netinet/ip_carp.c Sat Aug 27 04:29:41 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_carp.c,v 1.59.2.3 2016/08/27 04:25:50 snj Exp $ */
+/* $NetBSD: ip_carp.c,v 1.59.2.4 2016/08/27 04:29:41 snj Exp $ */
/* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */
/*
@@ -31,7 +31,7 @@
#include "opt_mbuftrace.h"
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.3 2016/08/27 04:25:50 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.4 2016/08/27 04:29:41 snj Exp $");
/*
* TODO:
@@ -92,6 +92,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v
#include
#include
#include
+#include
#endif
#include
@@ -675,9 +676,29 @@ carp_proto_input_c(struct mbuf *m, struc
/* verify the hash */
if (carp_hmac_verify(sc, ch->carp_counter, ch->carp_md)) {
+ struct ip *ip;
+ struct ip6_hdr *ip6;
+
CARP_STATINC(CARP_STAT_BADAUTH);
sc->sc_if.if_ierrors++;
- CARP_LOG(sc, ("incorrect hash"));
+
+ switch(af) {
+
+ case AF_INET:
+ ip = mtod(m, struct ip *);
+ CARP_LOG(sc, ("incorrect hash from %s",
+ in_fmtaddr(ip->ip_src)));
+ break;
+
+ case AF_INET6:
+ ip6 = mtod(m, struct ip6_hdr *);
+ CARP_LOG(sc, ("incorrect hash from %s",
+ip6_sprintf(>ip6_src)));
+ break;
+
+ default: CARP_LOG(sc, ("incorrect hash"));
+ break;
+ }
m_freem(m);
return;
}
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: snj Date: Sat Aug 27 04:29:41 UTC 2016 Modified Files: src/sys/netinet [netbsd-7]: ip_carp.c Log Message: Pull up following revision(s) (requested by is in ticket #1209): sys/netinet/ip_carp.c: revision 1.76 Print the IPv6 or IPv4 source addresses of packets with wrong hash, to help debugging. To generate a diff of this commit: cvs rdiff -u -r1.59.2.3 -r1.59.2.4 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: snj
Date: Sat Aug 27 04:25:50 UTC 2016
Modified Files:
src/sys/netinet [netbsd-7]: ip_carp.c
Log Message:
Pull up following revision(s) (requested by is in ticket #1208):
sys/netinet/ip_carp.c: revision 1.75
Workaround for PR 47013 by bouyer@. Only works for mixed IPv4/IPv6
environemnts, not for pure-IPv6 yet. A real fix is still needed.
To generate a diff of this commit:
cvs rdiff -u -r1.59.2.2 -r1.59.2.3 src/sys/netinet/ip_carp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_carp.c
diff -u src/sys/netinet/ip_carp.c:1.59.2.2 src/sys/netinet/ip_carp.c:1.59.2.3
--- src/sys/netinet/ip_carp.c:1.59.2.2 Sat Jul 23 13:33:32 2016
+++ src/sys/netinet/ip_carp.c Sat Aug 27 04:25:50 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_carp.c,v 1.59.2.2 2016/07/23 13:33:32 is Exp $ */
+/* $NetBSD: ip_carp.c,v 1.59.2.3 2016/08/27 04:25:50 snj Exp $ */
/* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */
/*
@@ -31,7 +31,7 @@
#include "opt_mbuftrace.h"
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.2 2016/07/23 13:33:32 is Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.3 2016/08/27 04:25:50 snj Exp $");
/*
* TODO:
@@ -1067,7 +1067,7 @@ carp_send_ad(void *v)
}
}
#endif /* INET */
-#ifdef INET6
+#ifdef INET6_notyet
if (sc->sc_naddrs6) {
struct ip6_hdr *ip6;
@@ -1475,7 +1475,7 @@ carp_setrun(struct carp_softc *sc, sa_fa
callout_schedule(>sc_md_tmo, tvtohz());
break;
#endif /* INET */
-#ifdef INET6
+#ifdef INET6_notyet
case AF_INET6:
callout_schedule(>sc_md6_tmo, tvtohz());
break;
@@ -1483,8 +1483,10 @@ carp_setrun(struct carp_softc *sc, sa_fa
default:
if (sc->sc_naddrs)
callout_schedule(>sc_md_tmo, tvtohz());
+#ifdef INET6_notyet
if (sc->sc_naddrs6)
callout_schedule(>sc_md6_tmo, tvtohz());
+#endif /* INET6 */
break;
}
break;
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: snj Date: Sat Aug 27 04:25:50 UTC 2016 Modified Files: src/sys/netinet [netbsd-7]: ip_carp.c Log Message: Pull up following revision(s) (requested by is in ticket #1208): sys/netinet/ip_carp.c: revision 1.75 Workaround for PR 47013 by bouyer@. Only works for mixed IPv4/IPv6 environemnts, not for pure-IPv6 yet. A real fix is still needed. To generate a diff of this commit: cvs rdiff -u -r1.59.2.2 -r1.59.2.3 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: is
Date: Sat Jul 23 13:33:32 UTC 2016
Modified Files:
src/sys/netinet [netbsd-7]: ip_carp.c
Log Message:
backout last change (wrong branch).
To generate a diff of this commit:
cvs rdiff -u -r1.59.2.1 -r1.59.2.2 src/sys/netinet/ip_carp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_carp.c
diff -u src/sys/netinet/ip_carp.c:1.59.2.1 src/sys/netinet/ip_carp.c:1.59.2.2
--- src/sys/netinet/ip_carp.c:1.59.2.1 Sat Jul 23 13:24:40 2016
+++ src/sys/netinet/ip_carp.c Sat Jul 23 13:33:32 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_carp.c,v 1.59.2.1 2016/07/23 13:24:40 is Exp $ */
+/* $NetBSD: ip_carp.c,v 1.59.2.2 2016/07/23 13:33:32 is Exp $ */
/* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */
/*
@@ -31,7 +31,7 @@
#include "opt_mbuftrace.h"
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.1 2016/07/23 13:24:40 is Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.2 2016/07/23 13:33:32 is Exp $");
/*
* TODO:
@@ -92,7 +92,6 @@ __KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v
#include
#include
#include
-#include
#endif
#include
@@ -676,29 +675,9 @@ carp_proto_input_c(struct mbuf *m, struc
/* verify the hash */
if (carp_hmac_verify(sc, ch->carp_counter, ch->carp_md)) {
- struct ip *ip;
- struct ip6_hdr *ip6;
-
CARP_STATINC(CARP_STAT_BADAUTH);
sc->sc_if.if_ierrors++;
-
- switch(af) {
-
- case AF_INET:
- ip = mtod(m, struct ip *);
- CARP_LOG(sc, ("incorrect hash from %s",
- in_fmtaddr(ip->ip_src)));
- break;
-
- case AF_INET6:
- ip6 = mtod(m, struct ip6_hdr *);
- CARP_LOG(sc, ("incorrect hash from %s",
-ip6_sprintf(>ip6_src)));
- break;
-
- default: CARP_LOG(sc, ("incorrect hash"));
- break;
- }
+ CARP_LOG(sc, ("incorrect hash"));
m_freem(m);
return;
}
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: is Date: Sat Jul 23 13:33:32 UTC 2016 Modified Files: src/sys/netinet [netbsd-7]: ip_carp.c Log Message: backout last change (wrong branch). To generate a diff of this commit: cvs rdiff -u -r1.59.2.1 -r1.59.2.2 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: is Date: Sat Jul 23 13:24:40 UTC 2016 Modified Files: src/sys/netinet [netbsd-7]: ip_carp.c Log Message: Log the IPv4/IPv6 source of incorrect hash packets, too. Needed for meaningful debugging. To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.2.1 src/sys/netinet/ip_carp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: is
Date: Sat Jul 23 13:24:40 UTC 2016
Modified Files:
src/sys/netinet [netbsd-7]: ip_carp.c
Log Message:
Log the IPv4/IPv6 source of incorrect hash packets, too. Needed for
meaningful debugging.
To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.59.2.1 src/sys/netinet/ip_carp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_carp.c
diff -u src/sys/netinet/ip_carp.c:1.59 src/sys/netinet/ip_carp.c:1.59.2.1
--- src/sys/netinet/ip_carp.c:1.59 Thu Jul 31 02:37:25 2014
+++ src/sys/netinet/ip_carp.c Sat Jul 23 13:24:40 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_carp.c,v 1.59 2014/07/31 02:37:25 ozaki-r Exp $ */
+/* $NetBSD: ip_carp.c,v 1.59.2.1 2016/07/23 13:24:40 is Exp $ */
/* $OpenBSD: ip_carp.c,v 1.113 2005/11/04 08:11:54 mcbride Exp $ */
/*
@@ -31,7 +31,7 @@
#include "opt_mbuftrace.h"
#include
-__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59 2014/07/31 02:37:25 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v 1.59.2.1 2016/07/23 13:24:40 is Exp $");
/*
* TODO:
@@ -92,6 +92,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_carp.c,v
#include
#include
#include
+#include
#endif
#include
@@ -675,9 +676,29 @@ carp_proto_input_c(struct mbuf *m, struc
/* verify the hash */
if (carp_hmac_verify(sc, ch->carp_counter, ch->carp_md)) {
+ struct ip *ip;
+ struct ip6_hdr *ip6;
+
CARP_STATINC(CARP_STAT_BADAUTH);
sc->sc_if.if_ierrors++;
- CARP_LOG(sc, ("incorrect hash"));
+
+ switch(af) {
+
+ case AF_INET:
+ ip = mtod(m, struct ip *);
+ CARP_LOG(sc, ("incorrect hash from %s",
+ in_fmtaddr(ip->ip_src)));
+ break;
+
+ case AF_INET6:
+ ip6 = mtod(m, struct ip6_hdr *);
+ CARP_LOG(sc, ("incorrect hash from %s",
+ip6_sprintf(>ip6_src)));
+ break;
+
+ default: CARP_LOG(sc, ("incorrect hash"));
+ break;
+ }
m_freem(m);
return;
}
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: riz
Date: Fri Nov 6 00:46:50 UTC 2015
Modified Files:
src/sys/netinet [netbsd-7]: if_arp.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #985):
sys/netinet/if_arp.c: revision 1.160
Add sysctl to selectively log arp packets from unknown network. (Adrien URBAN).
To generate a diff of this commit:
cvs rdiff -u -r1.158 -r1.158.2.1 src/sys/netinet/if_arp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/if_arp.c
diff -u src/sys/netinet/if_arp.c:1.158 src/sys/netinet/if_arp.c:1.158.2.1
--- src/sys/netinet/if_arp.c:1.158 Tue Jun 3 01:24:32 2014
+++ src/sys/netinet/if_arp.c Fri Nov 6 00:46:50 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: if_arp.c,v 1.158 2014/06/03 01:24:32 ozaki-r Exp $ */
+/* $NetBSD: if_arp.c,v 1.158.2.1 2015/11/06 00:46:50 riz Exp $ */
/*-
* Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.158 2014/06/03 01:24:32 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.158.2.1 2015/11/06 00:46:50 riz Exp $");
#include "opt_ddb.h"
#include "opt_inet.h"
@@ -194,6 +194,7 @@ static int arp_drainwanted;
static int log_movements = 1;
static int log_permanent_modify = 1;
static int log_wrong_iface = 1;
+static int log_unknown_network = 1;
/*
* this should be elsewhere.
@@ -1305,17 +1306,20 @@ arplookup1(struct mbuf *m, const struct
return (struct llinfo_arp *)rt->rt_llinfo;
if (create) {
- if (rt->rt_flags & RTF_GATEWAY)
- why = "host is not on local network";
- else if ((rt->rt_flags & RTF_LLINFO) == 0) {
+ if (rt->rt_flags & RTF_GATEWAY) {
+ if (log_unknown_network)
+why = "host is not on local network";
+ } else if ((rt->rt_flags & RTF_LLINFO) == 0) {
ARP_STATINC(ARP_STAT_ALLOCFAIL);
why = "could not allocate llinfo";
} else
why = "gateway route is not ours";
- log(LOG_DEBUG, "arplookup: unable to enter address"
- " for %s@%s on %s (%s)\n",
- in_fmtaddr(*addr), lla_snprintf(ar_sha(ah), ah->ar_hln),
- (ifp) ? ifp->if_xname : "null", why);
+ if (why) {
+ log(LOG_DEBUG, "arplookup: unable to enter address"
+ " for %s@%s on %s (%s)\n", in_fmtaddr(*addr),
+ lla_snprintf(ar_sha(ah), ah->ar_hln),
+ (ifp) ? ifp->if_xname : "null", why);
+ }
if (rt->rt_refcnt <= 0 && (rt->rt_flags & RTF_CLONED) != 0) {
rtrequest(RTM_DELETE, rt_getkey(rt),
rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
@@ -1704,6 +1708,13 @@ sysctl_net_inet_arp_setup(struct sysctll
" interface"),
NULL, 0, _wrong_iface, 0,
CTL_NET,PF_INET, node->sysctl_num, CTL_CREATE, CTL_EOL);
+
+ sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "log_unknown_network",
+ SYSCTL_DESCR("log ARP packets from non-local network"),
+ NULL, 0, _unknown_network, 0,
+ CTL_NET,PF_INET, node->sysctl_num, CTL_CREATE, CTL_EOL);
}
#endif /* INET */
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: riz Date: Fri Nov 6 00:46:50 UTC 2015 Modified Files: src/sys/netinet [netbsd-7]: if_arp.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #985): sys/netinet/if_arp.c: revision 1.160 Add sysctl to selectively log arp packets from unknown network. (Adrien URBAN). To generate a diff of this commit: cvs rdiff -u -r1.158 -r1.158.2.1 src/sys/netinet/if_arp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Jul 24 07:30:40 UTC 2015 Modified Files: src/sys/netinet [netbsd-7]: tcp_input.c tcp_output.c Log Message: Pull up following revision(s) (requested by matt in ticket #886): sys/netinet/tcp_output.c: revision 1.184 sys/netinet/tcp_input.c: revision 1.343 If we are sending a window probe and there's unacked data in the socket, make sure at least the persist timer is running. Make sure that snd_win doesn't go negative. To generate a diff of this commit: cvs rdiff -u -r1.334.2.1 -r1.334.2.2 src/sys/netinet/tcp_input.c cvs rdiff -u -r1.176.2.4 -r1.176.2.5 src/sys/netinet/tcp_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: martin
Date: Fri Jul 24 07:30:40 UTC 2015
Modified Files:
src/sys/netinet [netbsd-7]: tcp_input.c tcp_output.c
Log Message:
Pull up following revision(s) (requested by matt in ticket #886):
sys/netinet/tcp_output.c: revision 1.184
sys/netinet/tcp_input.c: revision 1.343
If we are sending a window probe and there's unacked data in the
socket, make sure at least the persist timer is running.
Make sure that snd_win doesn't go negative.
To generate a diff of this commit:
cvs rdiff -u -r1.334.2.1 -r1.334.2.2 src/sys/netinet/tcp_input.c
cvs rdiff -u -r1.176.2.4 -r1.176.2.5 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.334.2.1 src/sys/netinet/tcp_input.c:1.334.2.2
--- src/sys/netinet/tcp_input.c:1.334.2.1 Sat Feb 21 13:40:19 2015
+++ src/sys/netinet/tcp_input.c Fri Jul 24 07:30:40 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.334.2.1 2015/02/21 13:40:19 martin Exp $ */
+/* $NetBSD: tcp_input.c,v 1.334.2.2 2015/07/24 07:30:40 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: tcp_input.c,v 1.334.2.1 2015/02/21 13:40:19 martin Exp $);
+__KERNEL_RCSID(0, $NetBSD: tcp_input.c,v 1.334.2.2 2015/07/24 07:30:40 martin Exp $);
#include opt_inet.h
#include opt_ipsec.h
@@ -2714,7 +2714,10 @@ after_listen:
tp-t_lastm = NULL;
sbdrop(so-so_snd, acked);
tp-t_lastoff -= acked;
- tp-snd_wnd -= acked;
+ if (tp-snd_wnd acked)
+tp-snd_wnd -= acked;
+ else
+tp-snd_wnd = 0;
ourfinisacked = 0;
}
sowwakeup(so);
Index: src/sys/netinet/tcp_output.c
diff -u src/sys/netinet/tcp_output.c:1.176.2.4 src/sys/netinet/tcp_output.c:1.176.2.5
--- src/sys/netinet/tcp_output.c:1.176.2.4 Sat Feb 21 13:40:19 2015
+++ src/sys/netinet/tcp_output.c Fri Jul 24 07:30:40 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_output.c,v 1.176.2.4 2015/02/21 13:40:19 martin Exp $ */
+/* $NetBSD: tcp_output.c,v 1.176.2.5 2015/07/24 07:30:40 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -135,7 +135,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.176.2.4 2015/02/21 13:40:19 martin Exp $);
+__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.176.2.5 2015/07/24 07:30:40 martin Exp $);
#include opt_inet.h
#include opt_ipsec.h
@@ -1522,14 +1522,24 @@ send:
* of retransmit time.
*/
timer:
- if (TCP_TIMER_ISARMED(tp, TCPT_REXMT) == 0
- ((sack_rxmit tp-snd_nxt != tp-snd_max) ||
- tp-snd_nxt != tp-snd_una)) {
- if (TCP_TIMER_ISARMED(tp, TCPT_PERSIST)) {
-TCP_TIMER_DISARM(tp, TCPT_PERSIST);
+ if (TCP_TIMER_ISARMED(tp, TCPT_REXMT) == 0) {
+ if ((sack_rxmit tp-snd_nxt != tp-snd_max)
+ || tp-snd_nxt != tp-snd_una) {
+if (TCP_TIMER_ISARMED(tp, TCPT_PERSIST)) {
+ TCP_TIMER_DISARM(tp, TCPT_PERSIST);
+ tp-t_rxtshift = 0;
+}
+TCP_TIMER_ARM(tp, TCPT_REXMT, tp-t_rxtcur);
+ } else if (len == 0 so-so_snd.sb_cc 0
+ TCP_TIMER_ISARMED(tp, TCPT_PERSIST) == 0) {
+/*
+ * If we are sending a window probe and there's
+ * unacked data in the socket, make sure at
+ * least the persist timer is running.
+ */
tp-t_rxtshift = 0;
+tcp_setpersist(tp);
}
- TCP_TIMER_ARM(tp, TCPT_REXMT, tp-t_rxtcur);
}
} else
if (SEQ_GT(tp-snd_nxt + len, tp-snd_max))
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: snj
Date: Tue Apr 14 05:17:31 UTC 2015
Modified Files:
src/sys/netinet [netbsd-7]: in.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #689):
sys/netinet/in.c: revision 1.149
Don't pass junk in sin_family and sin_len for SIOCGIFNETMASK, and explain why.
XXX: pullup 7?
To generate a diff of this commit:
cvs rdiff -u -r1.147 -r1.147.2.1 src/sys/netinet/in.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/in.c
diff -u src/sys/netinet/in.c:1.147 src/sys/netinet/in.c:1.147.2.1
--- src/sys/netinet/in.c:1.147 Tue Jul 1 05:49:18 2014
+++ src/sys/netinet/in.c Tue Apr 14 05:17:31 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: in.c,v 1.147 2014/07/01 05:49:18 rtr Exp $ */
+/* $NetBSD: in.c,v 1.147.2.1 2015/04/14 05:17:31 snj Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: in.c,v 1.147 2014/07/01 05:49:18 rtr Exp $);
+__KERNEL_RCSID(0, $NetBSD: in.c,v 1.147.2.1 2015/04/14 05:17:31 snj Exp $);
#include opt_inet.h
#include opt_inet_conf.h
@@ -427,6 +427,7 @@ in_control(struct socket *so, u_long cmd
ia-ia_ifa.ifa_getifa = NULL;
#endif /* IPSELSRC */
ia-ia_sockmask.sin_len = 8;
+ ia-ia_sockmask.sin_family = AF_INET;
if (ifp-if_flags IFF_BROADCAST) {
ia-ia_broadaddr.sin_len = sizeof(ia-ia_addr);
ia-ia_broadaddr.sin_family = AF_INET;
@@ -473,7 +474,14 @@ in_control(struct socket *so, u_long cmd
break;
case SIOCGIFNETMASK:
- ifreq_setaddr(cmd, ifr, sintocsa(ia-ia_sockmask));
+ /*
+ * We keep the number of trailing zero bytes the sin_len field
+ * of ia_sockmask, so we fix this before we pass it back to
+ * userland.
+ */
+ oldaddr = ia-ia_sockmask;
+ oldaddr.sin_len = sizeof(struct sockaddr_in);
+ ifreq_setaddr(cmd, ifr, (const void *)oldaddr);
break;
case SIOCSIFDSTADDR:
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: snj Date: Tue Apr 14 05:17:31 UTC 2015 Modified Files: src/sys/netinet [netbsd-7]: in.c Log Message: Pull up following revision(s) (requested by christos in ticket #689): sys/netinet/in.c: revision 1.149 Don't pass junk in sin_family and sin_len for SIOCGIFNETMASK, and explain why. XXX: pullup 7? To generate a diff of this commit: cvs rdiff -u -r1.147 -r1.147.2.1 src/sys/netinet/in.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: martin
Date: Sat Feb 21 18:24:51 UTC 2015
Modified Files:
src/sys/netinet [netbsd-7]: icmp_var.h ip_icmp.h
Log Message:
Pull up following revision(s) (requested by christos in ticket #537):
sys/netinet/icmp_var.h: revision 1.30
sys/netinet/ip_icmp.h: revision 1.34
PR/49676: Ryo Shimizu: ICMP_STATINC() buffer overflows
XXX: pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.22.1 src/sys/netinet/icmp_var.h
cvs rdiff -u -r1.33 -r1.33.22.1 src/sys/netinet/ip_icmp.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/icmp_var.h
diff -u src/sys/netinet/icmp_var.h:1.29 src/sys/netinet/icmp_var.h:1.29.22.1
--- src/sys/netinet/icmp_var.h:1.29 Sat Dec 24 19:54:41 2011
+++ src/sys/netinet/icmp_var.h Sat Feb 21 18:24:51 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: icmp_var.h,v 1.29 2011/12/24 19:54:41 christos Exp $ */
+/* $NetBSD: icmp_var.h,v 1.29.22.1 2015/02/21 18:24:51 martin Exp $ */
/*
* Copyright (c) 1982, 1986, 1993
@@ -56,8 +56,8 @@
#define ICMP_STAT_BMCASTTSTAMP 10 /* b/mcast tstamp requests dropped */
#define ICMP_STAT_LAST 16 /* Allow for 5 spare ones */
#define ICMP_STAT_OUTHIST ICMP_STAT_LAST
-#define ICMP_STAT_INHIST (ICMP_STAT_LAST + ICMP_MAXTYPE)
-#define ICMP_NSTATS (ICMP_STAT_LAST + 2 * ICMP_MAXTYPE)
+#define ICMP_STAT_INHIST (ICMP_STAT_LAST + ICMP_NTYPES)
+#define ICMP_NSTATS (ICMP_STAT_LAST + 2 * ICMP_NTYPES)
/*
* Names for ICMP sysctl objects
Index: src/sys/netinet/ip_icmp.h
diff -u src/sys/netinet/ip_icmp.h:1.33 src/sys/netinet/ip_icmp.h:1.33.22.1
--- src/sys/netinet/ip_icmp.h:1.33 Sat Dec 24 20:18:54 2011
+++ src/sys/netinet/ip_icmp.h Sat Feb 21 18:24:51 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_icmp.h,v 1.33 2011/12/24 20:18:54 christos Exp $ */
+/* $NetBSD: ip_icmp.h,v 1.33.22.1 2015/02/21 18:24:51 martin Exp $ */
/*
* Copyright (c) 1982, 1986, 1993
@@ -189,6 +189,7 @@ struct icmp {
#define ICMP_PHOTURIS_NEED_AUTHZ 5 /* no authorization */
#define ICMP_MAXTYPE 40
+#define ICMP_NTYPES (ICMP_MAXTYPE + 1)
#ifdef ICMP_STRINGS
static const char *icmp_type[] = {
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Sat Feb 21 18:24:51 UTC 2015 Modified Files: src/sys/netinet [netbsd-7]: icmp_var.h ip_icmp.h Log Message: Pull up following revision(s) (requested by christos in ticket #537): sys/netinet/icmp_var.h: revision 1.30 sys/netinet/ip_icmp.h: revision 1.34 PR/49676: Ryo Shimizu: ICMP_STATINC() buffer overflows XXX: pullup-7 To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.22.1 src/sys/netinet/icmp_var.h cvs rdiff -u -r1.33 -r1.33.22.1 src/sys/netinet/ip_icmp.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Mon Dec 1 10:35:37 UTC 2014 Modified Files: src/sys/netinet [netbsd-7]: ip_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #277): sys/netinet/ip_output.c: revision 1.233 Call looutput with holding KERNEL_LOCK This fixes diagnostic assertion KERNEL_LOCKED_P() in if_loop.c. PR kern/49410 To generate a diff of this commit: cvs rdiff -u -r1.230 -r1.230.2.1 src/sys/netinet/ip_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/ip_output.c diff -u src/sys/netinet/ip_output.c:1.230 src/sys/netinet/ip_output.c:1.230.2.1 --- src/sys/netinet/ip_output.c:1.230 Fri Jun 6 00:11:19 2014 +++ src/sys/netinet/ip_output.c Mon Dec 1 10:35:37 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_output.c,v 1.230 2014/06/06 00:11:19 rmind Exp $ */ +/* $NetBSD: ip_output.c,v 1.230.2.1 2014/12/01 10:35:37 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: ip_output.c,v 1.230 2014/06/06 00:11:19 rmind Exp $); +__KERNEL_RCSID(0, $NetBSD: ip_output.c,v 1.230.2.1 2014/12/01 10:35:37 martin Exp $); #include opt_inet.h #include opt_ipsec.h @@ -1683,5 +1683,7 @@ ip_mloopback(struct ifnet *ifp, struct m ip-ip_sum = 0; ip-ip_sum = in_cksum(copym, ip-ip_hl 2); + KERNEL_LOCK(1, NULL); (void)looutput(ifp, copym, sintocsa(dst), NULL); + KERNEL_UNLOCK_ONE(NULL); }
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Mon Dec 1 13:08:14 UTC 2014 Modified Files: src/sys/netinet [netbsd-7]: in4_cksum.c Log Message: Pull up following revision(s) (requested by christos in ticket #281): sys/netinet/in4_cksum.c: revision 1.20 Only check that the offset sizeof(struct ip) if nxt != 0, i.e. in the tcp and udp cases. From kre. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.12.1 src/sys/netinet/in4_cksum.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/in4_cksum.c diff -u src/sys/netinet/in4_cksum.c:1.19 src/sys/netinet/in4_cksum.c:1.19.12.1 --- src/sys/netinet/in4_cksum.c:1.19 Tue Mar 12 21:54:36 2013 +++ src/sys/netinet/in4_cksum.c Mon Dec 1 13:08:14 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: in4_cksum.c,v 1.19 2013/03/12 21:54:36 christos Exp $ */ +/* $NetBSD: in4_cksum.c,v 1.19.12.1 2014/12/01 13:08:14 martin Exp $ */ /*- * Copyright (c) 2008 Joerg Sonnenberger jo...@netbsd.org. @@ -30,7 +30,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: in4_cksum.c,v 1.19 2013/03/12 21:54:36 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: in4_cksum.c,v 1.19.12.1 2014/12/01 13:08:14 martin Exp $); #include sys/param.h #include sys/mbuf.h @@ -58,9 +58,6 @@ in4_cksum(struct mbuf *m, u_int8_t nxt, uint32_t sum; uint16_t *w; - if (__predict_false(off sizeof(struct ip))) - PANIC(%s: offset %d too short for IP header %zu, __func__, - off, sizeof(struct ip)); if (__predict_false(m-m_len sizeof(struct ip))) PANIC(%s: mbuf %d too short for IP header %zu, __func__, m-m_len, sizeof(struct ip)); @@ -68,6 +65,10 @@ in4_cksum(struct mbuf *m, u_int8_t nxt, if (nxt == 0) return cpu_in_cksum(m, len, off, 0); + if (__predict_false(off sizeof(struct ip))) + PANIC(%s: offset %d too short for IP header %zu, __func__, + off, sizeof(struct ip)); + /* * Compute the equivalent of: * struct ipovly ip;
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Mon Dec 1 10:35:37 UTC 2014 Modified Files: src/sys/netinet [netbsd-7]: ip_output.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #277): sys/netinet/ip_output.c: revision 1.233 Call looutput with holding KERNEL_LOCK This fixes diagnostic assertion KERNEL_LOCKED_P() in if_loop.c. PR kern/49410 To generate a diff of this commit: cvs rdiff -u -r1.230 -r1.230.2.1 src/sys/netinet/ip_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Mon Dec 1 13:08:14 UTC 2014 Modified Files: src/sys/netinet [netbsd-7]: in4_cksum.c Log Message: Pull up following revision(s) (requested by christos in ticket #281): sys/netinet/in4_cksum.c: revision 1.20 Only check that the offset sizeof(struct ip) if nxt != 0, i.e. in the tcp and udp cases. From kre. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.19.12.1 src/sys/netinet/in4_cksum.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src
Committed By: martin
Date: Sun Oct 26 09:48:18 UTC 2014
Modified Files:
src/sys/netinet [netbsd-7]: tcp_output.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #157):
sys/netinet/tcp_output.c: revision 1.178
Avoid stack overflow when SACK and TCP_SIGNATURE are both present. Thanks
to Jonathan Looney for pointing this out.
To generate a diff of this commit:
cvs rdiff -u -r1.176.2.1 -r1.176.2.2 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_output.c
diff -u src/sys/netinet/tcp_output.c:1.176.2.1 src/sys/netinet/tcp_output.c:1.176.2.2
--- src/sys/netinet/tcp_output.c:1.176.2.1 Fri Oct 24 07:28:14 2014
+++ src/sys/netinet/tcp_output.c Sun Oct 26 09:48:18 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_output.c,v 1.176.2.1 2014/10/24 07:28:14 martin Exp $ */
+/* $NetBSD: tcp_output.c,v 1.176.2.2 2014/10/26 09:48:18 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -135,7 +135,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.176.2.1 2014/10/24 07:28:14 martin Exp $);
+__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.176.2.2 2014/10/26 09:48:18 martin Exp $);
#include opt_inet.h
#include opt_ipsec.h
@@ -557,6 +557,7 @@ tcp_output(struct tcpcb *tp)
#endif
struct tcphdr *th;
u_char opt[MAX_TCPOPTLEN];
+#define OPT_FITS(more) ((optlen + (more)) sizeof(opt))
unsigned optlen, hdrlen, packetlen;
unsigned int sack_numblks;
int idle, sendalot, txsegsize, rxsegsize;
@@ -1123,7 +1124,7 @@ send:
tp-snd_nxt = tp-iss;
tp-t_ourmss = tcp_mss_to_advertise(synrt != NULL ?
synrt-rt_ifp : NULL, af);
- if ((tp-t_flags TF_NOOPT) == 0) {
+ if ((tp-t_flags TF_NOOPT) == 0 OPT_FITS(4)) {
opt[0] = TCPOPT_MAXSEG;
opt[1] = 4;
opt[2] = (tp-t_ourmss 8) 0xff;
@@ -1132,7 +1133,8 @@ send:
if ((tp-t_flags TF_REQ_SCALE)
((flags TH_ACK) == 0 ||
- (tp-t_flags TF_RCVD_SCALE))) {
+ (tp-t_flags TF_RCVD_SCALE))
+ OPT_FITS(4)) {
*((u_int32_t *) (opt + optlen)) = htonl(
TCPOPT_NOP 24 |
TCPOPT_WINDOW 16 |
@@ -1140,7 +1142,7 @@ send:
tp-request_r_scale);
optlen += 4;
}
- if (tcp_do_sack) {
+ if (tcp_do_sack OPT_FITS(4)) {
u_int8_t *cp = (u_int8_t *)(opt + optlen);
cp[0] = TCPOPT_SACK_PERMITTED;
@@ -1160,7 +1162,7 @@ send:
if ((tp-t_flags (TF_REQ_TSTMP|TF_NOOPT)) == TF_REQ_TSTMP
(flags TH_RST) == 0
((flags (TH_SYN|TH_ACK)) == TH_SYN ||
- (tp-t_flags TF_RCVD_TSTMP))) {
+ (tp-t_flags TF_RCVD_TSTMP)) OPT_FITS(TCPOLEN_TSTAMP_APPA)) {
u_int32_t *lp = (u_int32_t *)(opt + optlen);
/* Form timestamp option as shown in appendix A of RFC 1323. */
@@ -1184,30 +1186,33 @@ send:
struct ipqent *tiqe;
sack_len = sack_numblks * 8 + 2;
- bp[0] = TCPOPT_NOP;
- bp[1] = TCPOPT_NOP;
- bp[2] = TCPOPT_SACK;
- bp[3] = sack_len;
- if ((tp-rcv_sack_flags TCPSACK_HAVED) != 0) {
- sack_numblks--;
- *lp++ = htonl(tp-rcv_dsack_block.left);
- *lp++ = htonl(tp-rcv_dsack_block.right);
- tp-rcv_sack_flags = ~TCPSACK_HAVED;
- }
- for (tiqe = TAILQ_FIRST(tp-timeq);
- sack_numblks 0; tiqe = TAILQ_NEXT(tiqe, ipqe_timeq)) {
- KASSERT(tiqe != NULL);
- sack_numblks--;
- *lp++ = htonl(tiqe-ipqe_seq);
- *lp++ = htonl(tiqe-ipqe_seq + tiqe-ipqe_len +
- ((tiqe-ipqe_flags TH_FIN) != 0 ? 1 : 0));
+ if (OPT_FITS(sack_len + 2)) {
+ bp[0] = TCPOPT_NOP;
+ bp[1] = TCPOPT_NOP;
+ bp[2] = TCPOPT_SACK;
+ bp[3] = sack_len;
+ if ((tp-rcv_sack_flags TCPSACK_HAVED) != 0) {
+sack_numblks--;
+*lp++ = htonl(tp-rcv_dsack_block.left);
+*lp++ = htonl(tp-rcv_dsack_block.right);
+tp-rcv_sack_flags = ~TCPSACK_HAVED;
+ }
+ for (tiqe = TAILQ_FIRST(tp-timeq);
+ sack_numblks 0;
+ tiqe = TAILQ_NEXT(tiqe, ipqe_timeq)) {
+KASSERT(tiqe != NULL);
+sack_numblks--;
+*lp++ = htonl(tiqe-ipqe_seq);
+*lp++ = htonl(tiqe-ipqe_seq + tiqe-ipqe_len +
+((tiqe-ipqe_flags TH_FIN) != 0 ? 1 : 0));
+ }
+ optlen += sack_len + 2;
}
- optlen += sack_len + 2;
}
TCP_REASS_UNLOCK(tp);
#ifdef TCP_SIGNATURE
- if (tp-t_flags TF_SIGNATURE) {
+ if ((tp-t_flags TF_SIGNATURE) OPT_FITS(TCPOLEN_SIGNATURE + 2)) {
u_char *bp;
/*
* Initialize TCP-MD5 option (RFC2385)
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Sun Oct 26 09:48:18 UTC 2014 Modified Files: src/sys/netinet [netbsd-7]: tcp_output.c Log Message: Pull up following revision(s) (requested by christos in ticket #157): sys/netinet/tcp_output.c: revision 1.178 Avoid stack overflow when SACK and TCP_SIGNATURE are both present. Thanks to Jonathan Looney for pointing this out. To generate a diff of this commit: cvs rdiff -u -r1.176.2.1 -r1.176.2.2 src/sys/netinet/tcp_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Oct 24 07:28:14 UTC 2014 Modified Files: src/sys/netinet [netbsd-7]: tcp_output.c Log Message: Pull up following revision(s) (requested by hikaru in ticket #154): sys/netinet/tcp_output.c: revision 1.177 Fix wrong condition checking TSO capability. ipsec_used is not necessary condition. IPsec outbound policy will not be checked when ipsec_used is false. To generate a diff of this commit: cvs rdiff -u -r1.176 -r1.176.2.1 src/sys/netinet/tcp_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet/tcp_output.c diff -u src/sys/netinet/tcp_output.c:1.176 src/sys/netinet/tcp_output.c:1.176.2.1 --- src/sys/netinet/tcp_output.c:1.176 Fri May 30 01:39:03 2014 +++ src/sys/netinet/tcp_output.c Fri Oct 24 07:28:14 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_output.c,v 1.176 2014/05/30 01:39:03 christos Exp $ */ +/* $NetBSD: tcp_output.c,v 1.176.2.1 2014/10/24 07:28:14 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -135,7 +135,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.176 2014/05/30 01:39:03 christos Exp $); +__KERNEL_RCSID(0, $NetBSD: tcp_output.c,v 1.176.2.1 2014/10/24 07:28:14 martin Exp $); #include opt_inet.h #include opt_ipsec.h @@ -630,8 +630,8 @@ tcp_output(struct tcpcb *tp) #if defined(INET) has_tso4 = tp-t_inpcb != NULL #if defined(IPSEC) - ipsec_used IPSEC_PCB_SKIP_IPSEC(tp-t_inpcb-inp_sp, - IPSEC_DIR_OUTBOUND) + (!ipsec_used || IPSEC_PCB_SKIP_IPSEC(tp-t_inpcb-inp_sp, + IPSEC_DIR_OUTBOUND)) #endif (rt = rtcache_validate(tp-t_inpcb-inp_route)) != NULL (rt-rt_ifp-if_capenable IFCAP_TSOv4) != 0; @@ -639,8 +639,8 @@ tcp_output(struct tcpcb *tp) #if defined(INET6) has_tso6 = tp-t_in6pcb != NULL #if defined(IPSEC) - ipsec_used IPSEC_PCB_SKIP_IPSEC(tp-t_in6pcb-in6p_sp, - IPSEC_DIR_OUTBOUND) + (!ipsec_used || IPSEC_PCB_SKIP_IPSEC(tp-t_in6pcb-in6p_sp, + IPSEC_DIR_OUTBOUND)) #endif (rt = rtcache_validate(tp-t_in6pcb-in6p_route)) != NULL (rt-rt_ifp-if_capenable IFCAP_TSOv6) != 0;
CVS commit: [netbsd-7] src/sys/netinet
Module Name:src Committed By: martin Date: Fri Oct 24 07:28:14 UTC 2014 Modified Files: src/sys/netinet [netbsd-7]: tcp_output.c Log Message: Pull up following revision(s) (requested by hikaru in ticket #154): sys/netinet/tcp_output.c: revision 1.177 Fix wrong condition checking TSO capability. ipsec_used is not necessary condition. IPsec outbound policy will not be checked when ipsec_used is false. To generate a diff of this commit: cvs rdiff -u -r1.176 -r1.176.2.1 src/sys/netinet/tcp_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
