Module Name: src Committed By: maxv Date: Tue Mar 6 17:39:36 UTC 2018
Modified Files: src/sys/netinet6: ip6_input.c Log Message: Perform the IP (src/dst) checks _before_ calling the packet filter, because if the filter has a "return-icmp" rule it may call icmp6_error with an src field that was not entirely validated. To generate a diff of this commit: cvs rdiff -u -r1.193 -r1.194 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.193 src/sys/netinet6/ip6_input.c:1.194 --- src/sys/netinet6/ip6_input.c:1.193 Sat Feb 24 07:37:09 2018 +++ src/sys/netinet6/ip6_input.c Tue Mar 6 17:39:36 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.193 2018/02/24 07:37:09 ozaki-r Exp $ */ +/* $NetBSD: ip6_input.c,v 1.194 2018/03/06 17:39:36 maxv Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.193 2018/02/24 07:37:09 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.194 2018/03/06 17:39:36 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -321,54 +321,6 @@ ip6_input(struct mbuf *m, struct ifnet * } /* - * Assume that we can create a fast-forward IP flow entry - * based on this packet. - */ - m->m_flags |= M_CANFASTFWD; - - /* - * Run through list of hooks for input packets. If there are any - * filters which require that additional packets in the flow are - * not fast-forwarded, they must clear the M_CANFASTFWD flag. - * Note that filters must _never_ set this flag, as another filter - * in the list may have previously cleared it. - */ - /* - * let ipfilter look at packet on the wire, - * not the decapsulated packet. - */ -#if defined(IPSEC) - if (!ipsec_used || !ipsec_indone(m)) -#else - if (1) -#endif - { - struct in6_addr odst; - - odst = ip6->ip6_dst; - if (pfil_run_hooks(inet6_pfil_hook, &m, rcvif, PFIL_IN) != 0) - return; - if (m == NULL) - return; - ip6 = mtod(m, struct ip6_hdr *); - srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); - } - - IP6_STATINC(IP6_STAT_NXTHIST + ip6->ip6_nxt); - -#ifdef ALTQ - if (altq_input != NULL) { - SOFTNET_LOCK(); - if ((*altq_input)(m, AF_INET6) == 0) { - SOFTNET_UNLOCK(); - /* packet is dropped by traffic conditioner */ - return; - } - SOFTNET_UNLOCK(); - } -#endif - - /* * Check against address spoofing/corruption. */ if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_src) || @@ -417,6 +369,54 @@ ip6_input(struct mbuf *m, struct ifnet * #endif /* + * Assume that we can create a fast-forward IP flow entry + * based on this packet. + */ + m->m_flags |= M_CANFASTFWD; + + /* + * Run through list of hooks for input packets. If there are any + * filters which require that additional packets in the flow are + * not fast-forwarded, they must clear the M_CANFASTFWD flag. + * Note that filters must _never_ set this flag, as another filter + * in the list may have previously cleared it. + */ + /* + * let ipfilter look at packet on the wire, + * not the decapsulated packet. + */ +#if defined(IPSEC) + if (!ipsec_used || !ipsec_indone(m)) +#else + if (1) +#endif + { + struct in6_addr odst; + + odst = ip6->ip6_dst; + if (pfil_run_hooks(inet6_pfil_hook, &m, rcvif, PFIL_IN) != 0) + return; + if (m == NULL) + return; + ip6 = mtod(m, struct ip6_hdr *); + srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); + } + + IP6_STATINC(IP6_STAT_NXTHIST + ip6->ip6_nxt); + +#ifdef ALTQ + if (altq_input != NULL) { + SOFTNET_LOCK(); + if ((*altq_input)(m, AF_INET6) == 0) { + SOFTNET_UNLOCK(); + /* packet is dropped by traffic conditioner */ + return; + } + SOFTNET_UNLOCK(); + } +#endif + + /* * Disambiguate address scope zones (if there is ambiguity). * We first make sure that the original source or destination address * is not in our internal form for scoped addresses. Such addresses