Module Name: src Committed By: martin Date: Wed Jun 6 09:48:50 UTC 2018
Modified Files: src/sys/netinet [netbsd-7]: udp_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1607): sys/netinet/udp_usrreq.c: revision 1.237 (via patch) Fix three pretty bad mistakes in NAT-T: * If we got a keepalive packet, we need to call m_freem, not m_free. Here the next mbufs in the chain are not freed. Seems easy to remotely DoS the system by sending fragmented keepalives in a loop. * If !ipsec_used, free the mbuf. * In udp_input, we need to update 'uh', because udp4_realinput may have modified the chain. Perhaps we also need to re-enforce alignment, so add an XXX. To generate a diff of this commit: cvs rdiff -u -r1.217 -r1.217.2.1 src/sys/netinet/udp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/udp_usrreq.c diff -u src/sys/netinet/udp_usrreq.c:1.217 src/sys/netinet/udp_usrreq.c:1.217.2.1 --- src/sys/netinet/udp_usrreq.c:1.217 Sat Aug 9 05:33:01 2014 +++ src/sys/netinet/udp_usrreq.c Wed Jun 6 09:48:50 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: udp_usrreq.c,v 1.217 2014/08/09 05:33:01 rtr Exp $ */ +/* $NetBSD: udp_usrreq.c,v 1.217.2.1 2018/06/06 09:48:50 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -66,7 +66,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.217 2014/08/09 05:33:01 rtr Exp $"); +__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.217.2.1 2018/06/06 09:48:50 martin Exp $"); #include "opt_inet.h" #include "opt_compat_netbsd.h" @@ -395,7 +395,15 @@ udp_input(struct mbuf *m, ...) */ return; } + ip = mtod(m, struct ip *); + IP6_EXTHDR_GET(uh, struct udphdr *, m, iphlen, sizeof(struct udphdr)); + if (uh == NULL) { + UDP_STATINC(UDP_STAT_HDROPS); + return; + } + /* XXX Re-enforce alignment? */ + #ifdef INET6 if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) { struct sockaddr_in6 src6, dst6; @@ -1301,7 +1309,7 @@ udp4_espinudp(struct mbuf **mp, int off, /* Ignore keepalive packets */ if ((len == 1) && (*(unsigned char *)data == 0xff)) { - m_free(m); + m_freem(m); *mp = NULL; /* avoid any further processiong by caller ... */ return 1; } @@ -1383,7 +1391,8 @@ udp4_espinudp(struct mbuf **mp, int off, #ifdef IPSEC if (ipsec_used) ipsec4_common_input(m, iphdrlen, IPPROTO_ESP); - /* XXX: else */ + else + m_freem(m); #else esp4_input(m, iphdrlen); #endif