Module Name: src Committed By: bouyer Date: Sat Mar 17 17:53:01 UTC 2012
Modified Files: src/sys/netinet [netbsd-6]: rfc6056.c Log Message: Pull up following revision(s) (requested by gson in ticket #122): sys/netinet/rfc6056.c: revision 1.5 Fix random kernel memory corruption by algo_doublehash(). And by "random" I don't mean just "arbitary" as in using an uninitialized pointer, but random as in corrupting the contents of memory addresses chosen using a crypto-strength random number generator. I believe this is the likely cause of multiple reports of random crashes over the last six months, including kern/45677 and kern/46096. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.4.1 src/sys/netinet/rfc6056.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/rfc6056.c diff -u src/sys/netinet/rfc6056.c:1.4 src/sys/netinet/rfc6056.c:1.4.4.1 --- src/sys/netinet/rfc6056.c:1.4 Sat Nov 19 22:51:25 2011 +++ src/sys/netinet/rfc6056.c Sat Mar 17 17:53:01 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: rfc6056.c,v 1.4 2011/11/19 22:51:25 tls Exp $ */ +/* $NetBSD: rfc6056.c,v 1.4.4.1 2012/03/17 17:53:01 bouyer Exp $ */ /* * Copyright 2011 Vlad Balan @@ -29,7 +29,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: rfc6056.c,v 1.4 2011/11/19 22:51:25 tls Exp $"); +__KERNEL_RCSID(0, "$NetBSD: rfc6056.c,v 1.4.4.1 2012/03/17 17:53:01 bouyer Exp $"); #include "opt_inet.h" @@ -665,8 +665,9 @@ algo_doublehash(int algo, uint16_t *port uint16_t count, num_ephemeral; uint16_t mymin, mymax, lastport; uint16_t *next_ephemeral; - uint16_t offset, idx, myport; + uint16_t offset, myport; static uint16_t dhtable[8]; + size_t idx; int error; DPRINTF("%s called\n", __func__); @@ -688,7 +689,7 @@ algo_doublehash(int algo, uint16_t *port /* Ephemeral port selection function */ num_ephemeral = mymax - mymin + 1; offset = Fhash(inp_hdr); - idx = Fhash(inp_hdr); /* G */ + idx = Fhash(inp_hdr) % __arraycount(dhtable); /* G */ count = num_ephemeral; do {