CVS commit: [netbsd-7] src/sys/netinet

Wed, 06 Jun 2018 02:49:45 -0700 

Module Name:    src
Committed By:   martin
Date:           Wed Jun  6 09:48:50 UTC 2018

Modified Files:
        src/sys/netinet [netbsd-7]: udp_usrreq.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1607):

        sys/netinet/udp_usrreq.c: revision 1.237 (via patch)

Fix three pretty bad mistakes in NAT-T:

 * If we got a keepalive packet, we need to call m_freem, not m_free.
   Here the next mbufs in the chain are not freed. Seems easy to remotely
   DoS the system by sending fragmented keepalives in a loop.

 * If !ipsec_used, free the mbuf.

 * In udp_input, we need to update 'uh', because udp4_realinput may have
   modified the chain. Perhaps we also need to re-enforce alignment, so
   add an XXX.


To generate a diff of this commit:
cvs rdiff -u -r1.217 -r1.217.2.1 src/sys/netinet/udp_usrreq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet/udp_usrreq.c
diff -u src/sys/netinet/udp_usrreq.c:1.217 src/sys/netinet/udp_usrreq.c:1.217.2.1
--- src/sys/netinet/udp_usrreq.c:1.217	Sat Aug  9 05:33:01 2014
+++ src/sys/netinet/udp_usrreq.c	Wed Jun  6 09:48:50 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: udp_usrreq.c,v 1.217 2014/08/09 05:33:01 rtr Exp $	*/
+/*	$NetBSD: udp_usrreq.c,v 1.217.2.1 2018/06/06 09:48:50 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.217 2014/08/09 05:33:01 rtr Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.217.2.1 2018/06/06 09:48:50 martin Exp $");
 
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
@@ -395,7 +395,15 @@ udp_input(struct mbuf *m, ...)
 		 */
 		return;
 	}
+
 	ip = mtod(m, struct ip *);
+	IP6_EXTHDR_GET(uh, struct udphdr *, m, iphlen, sizeof(struct udphdr));
+	if (uh == NULL) {
+		UDP_STATINC(UDP_STAT_HDROPS);
+		return;
+	}
+	/* XXX Re-enforce alignment? */
+
 #ifdef INET6
 	if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) {
 		struct sockaddr_in6 src6, dst6;
@@ -1301,7 +1309,7 @@ udp4_espinudp(struct mbuf **mp, int off,
 
 	/* Ignore keepalive packets */
 	if ((len == 1) && (*(unsigned char *)data == 0xff)) {
-		m_free(m);
+		m_freem(m);
 		*mp = NULL; /* avoid any further processiong by caller ... */
 		return 1;
 	}
@@ -1383,7 +1391,8 @@ udp4_espinudp(struct mbuf **mp, int off,
 #ifdef IPSEC
 	if (ipsec_used)
 		ipsec4_common_input(m, iphdrlen, IPPROTO_ESP);
-	/* XXX: else */
+	else
+		m_freem(m);
 #else
 	esp4_input(m, iphdrlen);
 #endif

Reply via email to