Module Name: src Committed By: martin Date: Thu Jun 7 16:05:09 UTC 2018
Modified Files: src/sys/netinet [netbsd-8]: udp_usrreq.c Log Message: Pull up following revision(s) (requested by maxv in ticket #837): sys/netinet/udp_usrreq.c: revision 1.237 Fix three pretty bad mistakes in NAT-T: * If we got a keepalive packet, we need to call m_freem, not m_free. Here the next mbufs in the chain are not freed. Seems easy to remotely DoS the system by sending fragmented keepalives in a loop. * If !ipsec_used, free the mbuf. * In udp_input, we need to update 'uh', because udp4_realinput may have modified the chain. Perhaps we also need to re-enforce alignment, so add an XXX. To generate a diff of this commit: cvs rdiff -u -r1.233.4.2 -r1.233.4.3 src/sys/netinet/udp_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/udp_usrreq.c diff -u src/sys/netinet/udp_usrreq.c:1.233.4.2 src/sys/netinet/udp_usrreq.c:1.233.4.3 --- src/sys/netinet/udp_usrreq.c:1.233.4.2 Mon Apr 9 13:34:10 2018 +++ src/sys/netinet/udp_usrreq.c Thu Jun 7 16:05:09 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: udp_usrreq.c,v 1.233.4.2 2018/04/09 13:34:10 bouyer Exp $ */ +/* $NetBSD: udp_usrreq.c,v 1.233.4.3 2018/06/07 16:05:09 martin Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -66,7 +66,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.233.4.2 2018/04/09 13:34:10 bouyer Exp $"); +__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.233.4.3 2018/06/07 16:05:09 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -410,7 +410,15 @@ udp_input(struct mbuf *m, ...) */ return; } + ip = mtod(m, struct ip *); + IP6_EXTHDR_GET(uh, struct udphdr *, m, iphlen, sizeof(struct udphdr)); + if (uh == NULL) { + UDP_STATINC(UDP_STAT_HDROPS); + return; + } + /* XXX Re-enforce alignment? */ + #ifdef INET6 if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) { struct sockaddr_in6 src6, dst6; @@ -1287,7 +1295,7 @@ udp4_espinudp(struct mbuf **mp, int off, /* Ignore keepalive packets */ if ((len == 1) && (*(unsigned char *)data == 0xff)) { - m_free(m); + m_freem(m); *mp = NULL; /* avoid any further processiong by caller ... */ return 1; } @@ -1368,7 +1376,8 @@ udp4_espinudp(struct mbuf **mp, int off, if (ipsec_used) ipsec4_common_input(m, iphdrlen, IPPROTO_ESP); - /* XXX: else */ + else + m_freem(m); /* We handled it, it shouldn't be handled by UDP */ *mp = NULL; /* avoid free by caller ... */