Module Name:    src
Committed By:   maxv
Date:           Sat Apr 14 08:03:33 UTC 2018

Modified Files:
        src/sys/netinet6: icmp6.c

Log Message:
Remove the RH0 code from ICMPv6. RH0 is deprecated by RFC5095 (2007) for
security reasons. We already removed it in Route6.

In addition there was an mbuf bug here: calling IP6_EXTHDR_GET twice with
the same offset, but still using the pointer from the first call, which
could have been made invalid. By luck, m_pulldown leaves zero-sized mbufs
in place, instead of freeing them.

And in general, using a 'finaldst' pointer on the mbuf, and then modifying
that mbuf with IP6_EXTHDR_GET with a smaller offset, was really error-
prone.


To generate a diff of this commit:
cvs rdiff -u -r1.227 -r1.228 src/sys/netinet6/icmp6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/icmp6.c
diff -u src/sys/netinet6/icmp6.c:1.227 src/sys/netinet6/icmp6.c:1.228
--- src/sys/netinet6/icmp6.c:1.227	Sat Apr 14 06:45:17 2018
+++ src/sys/netinet6/icmp6.c	Sat Apr 14 08:03:33 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: icmp6.c,v 1.227 2018/04/14 06:45:17 maxv Exp $	*/
+/*	$NetBSD: icmp6.c,v 1.228 2018/04/14 08:03:33 maxv Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.227 2018/04/14 06:45:17 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.228 2018/04/14 08:03:33 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -963,8 +963,6 @@ icmp6_notify_error(struct mbuf *m, int o
 		int icmp6type = icmp6->icmp6_type;
 		struct ip6_frag *fh;
 		struct ip6_rthdr *rth;
-		struct ip6_rthdr0 *rth0;
-		int rthlen;
 		struct ifnet *rcvif;
 		int s;
 
@@ -989,46 +987,15 @@ icmp6_notify_error(struct mbuf *m, int o
 				nxt = eh->ip6e_nxt;
 				break;
 			case IPPROTO_ROUTING:
-				/*
-				 * When the erroneous packet contains a
-				 * routing header, we should examine the
-				 * header to determine the final destination.
-				 * Otherwise, we can't properly update
-				 * information that depends on the final
-				 * destination (e.g. path MTU).
-				 */
+				/* Ignore the option. */
 				IP6_EXTHDR_GET(rth, struct ip6_rthdr *, m,
 					       eoff, sizeof(*rth));
 				if (rth == NULL) {
 					ICMP6_STATINC(ICMP6_STAT_TOOSHORT);
 					return (-1);
 				}
-				rthlen = (rth->ip6r_len + 1) << 3;
-				/*
-				 * XXX: currently there is no
-				 * officially defined type other
-				 * than type-0.
-				 * Note that if the segment left field
-				 * is 0, all intermediate hops must
-				 * have been passed.
-				 */
-				if (rth->ip6r_segleft &&
-				    rth->ip6r_type == IPV6_RTHDR_TYPE_0) {
-					int hops;
-
-					IP6_EXTHDR_GET(rth0,
-						       struct ip6_rthdr0 *, m,
-						       eoff, rthlen);
-					if (rth0 == NULL) {
-						ICMP6_STATINC(ICMP6_STAT_TOOSHORT);
-						return (-1);
-					}
-					/* just ignore a bogus header */
-					if ((rth0->ip6r0_len % 2) == 0 &&
-					    (hops = rth0->ip6r0_len/2))
-						finaldst = (struct in6_addr *)(rth0 + 1) + (hops - 1);
-				}
-				eoff += rthlen;
+
+				eoff += (rth->ip6r_len + 1) << 3;
 				nxt = rth->ip6r_nxt;
 				break;
 			case IPPROTO_FRAGMENT:

Reply via email to