CVS commit: [netbsd-8] src/sys/netinet

Thu, 07 Jun 2018 09:05:26 -0700 

Module Name:    src
Committed By:   martin
Date:           Thu Jun  7 16:05:09 UTC 2018

Modified Files:
        src/sys/netinet [netbsd-8]: udp_usrreq.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #837):

        sys/netinet/udp_usrreq.c: revision 1.237

Fix three pretty bad mistakes in NAT-T:

 * If we got a keepalive packet, we need to call m_freem, not m_free.
   Here the next mbufs in the chain are not freed. Seems easy to remotely
   DoS the system by sending fragmented keepalives in a loop.

 * If !ipsec_used, free the mbuf.

 * In udp_input, we need to update 'uh', because udp4_realinput may have
   modified the chain. Perhaps we also need to re-enforce alignment, so
   add an XXX.


To generate a diff of this commit:
cvs rdiff -u -r1.233.4.2 -r1.233.4.3 src/sys/netinet/udp_usrreq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet/udp_usrreq.c
diff -u src/sys/netinet/udp_usrreq.c:1.233.4.2 src/sys/netinet/udp_usrreq.c:1.233.4.3
--- src/sys/netinet/udp_usrreq.c:1.233.4.2	Mon Apr  9 13:34:10 2018
+++ src/sys/netinet/udp_usrreq.c	Thu Jun  7 16:05:09 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: udp_usrreq.c,v 1.233.4.2 2018/04/09 13:34:10 bouyer Exp $	*/
+/*	$NetBSD: udp_usrreq.c,v 1.233.4.3 2018/06/07 16:05:09 martin Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.233.4.2 2018/04/09 13:34:10 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.233.4.3 2018/06/07 16:05:09 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -410,7 +410,15 @@ udp_input(struct mbuf *m, ...)
 		 */
 		return;
 	}
+
 	ip = mtod(m, struct ip *);
+	IP6_EXTHDR_GET(uh, struct udphdr *, m, iphlen, sizeof(struct udphdr));
+	if (uh == NULL) {
+		UDP_STATINC(UDP_STAT_HDROPS);
+		return;
+	}
+	/* XXX Re-enforce alignment? */
+
 #ifdef INET6
 	if (IN_MULTICAST(ip->ip_dst.s_addr) || n == 0) {
 		struct sockaddr_in6 src6, dst6;
@@ -1287,7 +1295,7 @@ udp4_espinudp(struct mbuf **mp, int off,
 
 	/* Ignore keepalive packets */
 	if ((len == 1) && (*(unsigned char *)data == 0xff)) {
-		m_free(m);
+		m_freem(m);
 		*mp = NULL; /* avoid any further processiong by caller ... */
 		return 1;
 	}
@@ -1368,7 +1376,8 @@ udp4_espinudp(struct mbuf **mp, int off,
 
 	if (ipsec_used)
 		ipsec4_common_input(m, iphdrlen, IPPROTO_ESP);
-	/* XXX: else */
+	else
+		m_freem(m);
 
 	/* We handled it, it shouldn't be handled by UDP */
 	*mp = NULL; /* avoid free by caller ... */

Reply via email to