CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Wed Apr 15 14:59:33 UTC 2020 Modified Files: src/sys/netinet6 [netbsd-7-0]: nd6_rtr.c Log Message: Pull up following revision(s) (requested by kim in ticket #1727): sys/netinet6/nd6_rtr.c: revision 1.148 (via patch) Fix default route selection The primary issue was that in revision 1.79 a check was added in the nd6_defrouter_select() search loop to ignore the entry if RA processing is enabled on its interface. In practice this results in all entries being ignored. This fix reverses the condition, so that an entry is ignored when RA processing is NOT enabled on its interface. Further, the entry is only ignored for being selected as the default router. The currently installed router must be identified regardless of the (current) status of its interface, so that we can delete the route before installing a new one. I also added error logging when adding or deleting a route fails. This should help the administrator (or kernel developer) in noticing possible problems. Finally, if deleting a route fails, the corresponding default route entry no longer has its "installed" flag cleared, so that deletion will be retried. At a minimum, this will cause repeated messages about the failed deletion as opposed to only getting repeated messages about the installation of a new default route failing. Fixes PR kern/55091 and also PR bin/54997 as far as the behaviour observed with ndp(8). To generate a diff of this commit: cvs rdiff -u -r1.93.2.3 -r1.93.2.3.2.1 src/sys/netinet6/nd6_rtr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Aug 14 14:36:37 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: frag6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1630): sys/netinet6/frag6.c: revision 1.64 Kick zero-sized fragments. We can't allow them to enter; two fragments could be put at the same offset. To generate a diff of this commit: cvs rdiff -u -r1.55.6.2 -r1.55.6.3 src/sys/netinet6/frag6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:14:45 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1591): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.136.6.1 -r1.136.6.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:09:58 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: ip6_forward.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1590): sys/netinet6/ip6_forward.c: revision 1.91 (via patch) Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed, and a 'goto out' is missing after ipsec6_process_packet. To generate a diff of this commit: cvs rdiff -u -r1.73.2.1.2.1 -r1.73.2.1.2.2 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: snj Date: Sun Feb 25 23:17:22 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: ip6_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1572): sys/netinet6/ip6_input.c: 1.188 via patch Kick nested fragments. To generate a diff of this commit: cvs rdiff -u -r1.149.2.1.2.1 -r1.149.2.1.2.2 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: snj Date: Mon Feb 12 18:37:48 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: ip6_forward.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1551): sys/netinet6/ip6_forward.c: 1.89-1.90 via patch Fix use-after-free of mbuf by ip6flow_create This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd. -- Fix use-after-free of mbuf by ip6flow_create (one more) To generate a diff of this commit: cvs rdiff -u -r1.73.2.1 -r1.73.2.1.2.1 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 13:06:29 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: nd6_nbr.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1562): sys/netinet6/nd6_nbr.c: revision 1.145 (patch) Fix memory leak. Contrary to what the XXX indicates, this place is 100% reachable remotely. To generate a diff of this commit: cvs rdiff -u -r1.100.2.2 -r1.100.2.2.2.1 src/sys/netinet6/nd6_nbr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 11:03:53 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: ip6_mroute.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1561): sys/netinet6/ip6_mroute.c: revision 1.120 Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE, not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain on an mbuf that was already freed. To generate a diff of this commit: cvs rdiff -u -r1.107 -r1.107.6.1 src/sys/netinet6/ip6_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 18:31:53 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-7-0]: frag6.c ip6_input.c ip6_var.h raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.55.6.1 src/sys/netinet6/frag6.c cvs rdiff -u -r1.149.2.1 -r1.149.2.1.2.1 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.62.2.1 -r1.62.2.1.2.1 src/sys/netinet6/ip6_var.h cvs rdiff -u -r1.136 -r1.136.6.1 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-7-0] src/sys/netinet6
Module Name:src Committed By: msaitoh Date: Wed Nov 18 08:34:49 UTC 2015 Modified Files: src/sys/netinet6 [netbsd-7-0]: mld6.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1035): sys/netinet6/mld6.c: revision 1.64 Ensure that the callout of the multicast address is valid before hooking it up. To generate a diff of this commit: cvs rdiff -u -r1.59.2.2 -r1.59.2.2.2.1 src/sys/netinet6/mld6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.