CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Thu Oct 8 17:50:11 UTC 2020
Modified Files:
src/sys/netipsec [netbsd-8]: xform_esp.c
Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1612):
sys/netipsec/xform_esp.c: revision 1.101
Make sequence number of esp header MP-safe for IPsec Tx side. reviewed by
ozaki-r@n.o
In IPsec Tx side, one Security Association can be used by multiple CPUs.
On the other hand, in IPsec Rx side, one Security Association is used
by only one CPU.
XXX pullup-{8,9}
To generate a diff of this commit:
cvs rdiff -u -r1.55.2.3 -r1.55.2.4 src/sys/netipsec/xform_esp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Thu Oct 8 17:50:11 UTC 2020
Modified Files:
src/sys/netipsec [netbsd-8]: xform_esp.c
Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1612):
sys/netipsec/xform_esp.c: revision 1.101
Make sequence number of esp header MP-safe for IPsec Tx side. reviewed by
ozaki-r@n.o
In IPsec Tx side, one Security Association can be used by multiple CPUs.
On the other hand, in IPsec Rx side, one Security Association is used
by only one CPU.
XXX pullup-{8,9}
To generate a diff of this commit:
cvs rdiff -u -r1.55.2.3 -r1.55.2.4 src/sys/netipsec/xform_esp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.55.2.3 src/sys/netipsec/xform_esp.c:1.55.2.4
--- src/sys/netipsec/xform_esp.c:1.55.2.3 Fri Mar 30 11:53:13 2018
+++ src/sys/netipsec/xform_esp.c Thu Oct 8 17:50:11 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.55.2.3 2018/03/30 11:53:13 martin Exp $ */
+/* $NetBSD: xform_esp.c,v 1.55.2.4 2020/10/08 17:50:11 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.55.2.3 2018/03/30 11:53:13 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.55.2.4 2020/10/08 17:50:11 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -804,11 +804,12 @@ esp_output(struct mbuf *m, const struct
#ifdef IPSEC_DEBUG
/* Emulate replay attack when ipsec_replay is TRUE. */
- if (!ipsec_replay)
+ if (ipsec_replay)
+ replay = htonl(sav->replay->count);
+ else
#endif
- sav->replay->count++;
+ replay = htonl(atomic_inc_32_nv(>replay->count));
- replay = htonl(sav->replay->count);
memcpy(mtod(mo,char *) + roff + sizeof(uint32_t), ,
sizeof(uint32_t));
}
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Fri Jan 31 11:01:38 UTC 2020
Modified Files:
src/sys/netipsec [netbsd-8]: ipsecif.c
Log Message:
Pull up following revision(s) (requested by knakahara in ticket #1497):
sys/netipsec/ipsecif.c: revision 1.19
Fix IPv6 over IPv4 ipsecif(4) uses IPv4 SP wrongly. Pointed out by ohishi@IIJ.
XXX pullup-8, pullup-9
To generate a diff of this commit:
cvs rdiff -u -r1.1.2.9 -r1.1.2.10 src/sys/netipsec/ipsecif.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsecif.c
diff -u src/sys/netipsec/ipsecif.c:1.1.2.9 src/sys/netipsec/ipsecif.c:1.1.2.10
--- src/sys/netipsec/ipsecif.c:1.1.2.9 Tue Sep 24 18:27:09 2019
+++ src/sys/netipsec/ipsecif.c Fri Jan 31 11:01:38 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsecif.c,v 1.1.2.9 2019/09/24 18:27:09 martin Exp $ */
+/* $NetBSD: ipsecif.c,v 1.1.2.10 2020/01/31 11:01:38 martin Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.9 2019/09/24 18:27:09 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.10 2020/01/31 11:01:38 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -382,7 +382,17 @@ ipsecif4_output(struct ipsec_variant *va
KASSERT(var->iv_psrc->sa_family == AF_INET);
KASSERT(var->iv_pdst->sa_family == AF_INET);
- sp = IV_SP_OUT(var);
+ switch (family) {
+ case AF_INET:
+ sp = IV_SP_OUT(var);
+ break;
+ case AF_INET6:
+ sp = IV_SP_OUT6(var);
+ break;
+ default:
+ m_freem(m);
+ return EAFNOSUPPORT;
+ }
KASSERT(sp != NULL);
/*
* The SPs in ipsec_variant are prevented from freed by
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Jan 31 11:01:38 UTC 2020 Modified Files: src/sys/netipsec [netbsd-8]: ipsecif.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #1497): sys/netipsec/ipsecif.c: revision 1.19 Fix IPv6 over IPv4 ipsecif(4) uses IPv4 SP wrongly. Pointed out by ohishi@IIJ. XXX pullup-8, pullup-9 To generate a diff of this commit: cvs rdiff -u -r1.1.2.9 -r1.1.2.10 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Tue Sep 10 16:03:53 UTC 2019 Modified Files: src/sys/netipsec [netbsd-8]: key.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1372): sys/netipsec/key.c: revision 1.266 Fix info leaks. To generate a diff of this commit: cvs rdiff -u -r1.163.2.12 -r1.163.2.13 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Tue Sep 10 16:03:53 UTC 2019
Modified Files:
src/sys/netipsec [netbsd-8]: key.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1372):
sys/netipsec/key.c: revision 1.266
Fix info leaks.
To generate a diff of this commit:
cvs rdiff -u -r1.163.2.12 -r1.163.2.13 src/sys/netipsec/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.12 src/sys/netipsec/key.c:1.163.2.13
--- src/sys/netipsec/key.c:1.163.2.12 Thu Jul 25 08:58:21 2019
+++ src/sys/netipsec/key.c Tue Sep 10 16:03:53 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.163.2.12 2019/07/25 08:58:21 martin Exp $ */
+/* $NetBSD: key.c,v 1.163.2.13 2019/09/10 16:03:53 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.12 2019/07/25 08:58:21 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.13 2019/09/10 16:03:53 martin Exp $");
/*
* This code is referred to RFC 2367
@@ -7220,6 +7220,7 @@ key_api_register(struct socket *so, stru
sup = (struct sadb_supported *)(mtod(n, char *) + off);
sup->sadb_supported_len = PFKEY_UNIT64(alen);
sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH;
+ sup->sadb_supported_reserved = 0;
off += PFKEY_ALIGN8(sizeof(*sup));
for (i = 1; i <= SADB_AALG_MAX; i++) {
@@ -7235,6 +7236,7 @@ key_api_register(struct socket *so, stru
key_getsizes_ah(aalgo, i, , );
alg->sadb_alg_minbits = _BITS(minkeysize);
alg->sadb_alg_maxbits = _BITS(maxkeysize);
+ alg->sadb_alg_reserved = 0;
off += PFKEY_ALIGN8(sizeof(*alg));
}
}
@@ -7244,6 +7246,7 @@ key_api_register(struct socket *so, stru
sup = (struct sadb_supported *)(mtod(n, char *) + off);
sup->sadb_supported_len = PFKEY_UNIT64(elen);
sup->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT;
+ sup->sadb_supported_reserved = 0;
off += PFKEY_ALIGN8(sizeof(*sup));
for (i = 1; i <= SADB_EALG_MAX; i++) {
@@ -7257,6 +7260,7 @@ key_api_register(struct socket *so, stru
alg->sadb_alg_ivlen = ealgo->blocksize;
alg->sadb_alg_minbits = _BITS(ealgo->minkey);
alg->sadb_alg_maxbits = _BITS(ealgo->maxkey);
+ alg->sadb_alg_reserved = 0;
off += PFKEY_ALIGN8(sizeof(struct sadb_alg));
}
}
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Mon Jul 22 18:07:07 UTC 2019
Modified Files:
src/sys/netipsec [netbsd-8]: key.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1303):
sys/netipsec/key.c: revision 1.264
Avoid a race condition between SA (sav) manipulations
An sav can be removed from belonging list(s) twice resulting in an assertion
failure of pslist. It can occur if the following two operations interleave:
(i) a deletion or a update of an SA via the API, and
(ii) a state change (key_sa_chgstate) of the same SA by the timer.
Note that even (ii) removes an sav once from its list(s) on a update.
The cause of the race condition is that the two operations are not serialized
and (i) doesn't get and remove an sav from belonging list(s) atomically. So
(ii) can be inserted between an acquisition and a removal of (i).
Avoid the race condition by making (i) atomic.
To generate a diff of this commit:
cvs rdiff -u -r1.163.2.10 -r1.163.2.11 src/sys/netipsec/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.10 src/sys/netipsec/key.c:1.163.2.11
--- src/sys/netipsec/key.c:1.163.2.10 Sat Aug 25 14:35:21 2018
+++ src/sys/netipsec/key.c Mon Jul 22 18:07:07 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.163.2.10 2018/08/25 14:35:21 martin Exp $ */
+/* $NetBSD: key.c,v 1.163.2.11 2019/07/22 18:07:07 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.10 2018/08/25 14:35:21 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.11 2019/07/22 18:07:07 martin Exp $");
/*
* This code is referred to RFC 2367
@@ -699,8 +699,8 @@ static bool key_sah_has_sav(struct secas
static void key_sah_ref(struct secashead *);
static void key_sah_unref(struct secashead *);
static void key_init_sav(struct secasvar *);
+static void key_wait_sav(struct secasvar *);
static void key_destroy_sav(struct secasvar *);
-static void key_destroy_sav_with_ref(struct secasvar *);
static struct secasvar *key_newsav(struct mbuf *,
const struct sadb_msghdr *, int *, const char*, int);
#define KEY_NEWSAV(m, sadb, e)\
@@ -1601,30 +1601,20 @@ key_destroy_sav(struct secasvar *sav)
}
/*
- * Destroy sav with holding its reference.
+ * Wait for references of a passed sav to go away.
*/
static void
-key_destroy_sav_with_ref(struct secasvar *sav)
+key_wait_sav(struct secasvar *sav)
{
ASSERT_SLEEPABLE();
mutex_enter(_sad.lock);
- sav->state = SADB_SASTATE_DEAD;
- SAVLIST_WRITER_REMOVE(sav);
- SAVLUT_WRITER_REMOVE(sav);
- mutex_exit(_sad.lock);
-
- /* We cannot unref with holding key_sad.lock */
- KEY_SA_UNREF();
-
- mutex_enter(_sad.lock);
+ KASSERT(sav->state == SADB_SASTATE_DEAD);
KDASSERT(mutex_ownable(softnet_lock));
key_sad_pserialize_perform();
localcount_drain(>localcount, _sad.cv_lc, _sad.lock);
mutex_exit(_sad.lock);
-
- key_destroy_sav(sav);
}
/* %%% SPD management */
@@ -3521,6 +3511,38 @@ out:
}
/*
+ * Search SAD litmited alive SA by an SPI and remove it from a list.
+ * OUT:
+ * NULL : not found
+ * others : found, pointer to a SA.
+ */
+static struct secasvar *
+key_lookup_and_remove_sav(struct secashead *sah, u_int32_t spi)
+{
+ struct secasvar *sav = NULL;
+ u_int state;
+
+ /* search all status */
+ mutex_enter(_sad.lock);
+ SASTATE_ALIVE_FOREACH(state) {
+ SAVLIST_WRITER_FOREACH(sav, sah, state) {
+ KASSERT(sav->state == state);
+
+ if (sav->spi == spi) {
+sav->state = SADB_SASTATE_DEAD;
+SAVLIST_WRITER_REMOVE(sav);
+SAVLUT_WRITER_REMOVE(sav);
+goto out;
+ }
+ }
+ }
+out:
+ mutex_exit(_sad.lock);
+
+ return sav;
+}
+
+/*
* Free allocated data to member variables of sav:
* sav->replay, sav->key_* and sav->lft_*.
*/
@@ -5598,7 +5620,7 @@ key_api_update(struct socket *so, struct
const struct sockaddr *src, *dst;
struct secasindex saidx;
struct secashead *sah;
- struct secasvar *sav, *newsav;
+ struct secasvar *sav, *newsav, *oldsav;
u_int16_t proto;
u_int8_t mode;
u_int16_t reqid;
@@ -5751,12 +5773,25 @@ key_api_update(struct socket *so, struct
mutex_exit(_sad.lock);
key_validate_savlist(sah, SADB_SASTATE_MATURE);
+ /*
+ * We need to lookup and remove the sav atomically, so get it again
+ * here by a special API while we have a reference to it.
+ */
+ oldsav = key_lookup_and_remove_sav(sah, sa0->sadb_sa_spi);
+ /* We can release the reference because of oldsav */
+ KEY_SA_UNREF();
+ if (oldsav == NULL) {
+ /* Someone has already removed the sav. Nothing to do. */
+ } else {
+ key_wait_sav(oldsav);
+ key_destroy_sav(oldsav);
+ oldsav = NULL;
+ }
+ sav = NULL;
+
key_sah_unref(sah);
sah = NULL;
- key_destroy_sav_with_ref(sav);
- sav
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Mon Jul 15 08:18:50 UTC 2019
Modified Files:
src/sys/netipsec [netbsd-8]: keysock.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1287):
sys/netipsec/keysock.c: revision 1.69
Fix locking: it is fine if the lock is already key_so_mtx, this can happen
in socketpair. In that case don't take it.
Ok ozaki-r@
To generate a diff of this commit:
cvs rdiff -u -r1.58.2.3 -r1.58.2.4 src/sys/netipsec/keysock.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/keysock.c
diff -u src/sys/netipsec/keysock.c:1.58.2.3 src/sys/netipsec/keysock.c:1.58.2.4
--- src/sys/netipsec/keysock.c:1.58.2.3 Mon Nov 12 12:23:20 2018
+++ src/sys/netipsec/keysock.c Mon Jul 15 08:18:50 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: keysock.c,v 1.58.2.3 2018/11/12 12:23:20 martin Exp $ */
+/* $NetBSD: keysock.c,v 1.58.2.4 2019/07/15 08:18:50 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/keysock.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: keysock.c,v 1.25 2001/08/13 20:07:41 itojun Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: keysock.c,v 1.58.2.3 2018/11/12 12:23:20 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: keysock.c,v 1.58.2.4 2019/07/15 08:18:50 martin Exp $");
/* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */
@@ -475,10 +475,12 @@ key_attach(struct socket *so, int proto)
s = splsoftnet();
- KASSERT(so->so_lock == NULL);
- mutex_obj_hold(key_so_mtx);
- so->so_lock = key_so_mtx;
- solock(so);
+ if (so->so_lock != key_so_mtx) {
+ KASSERT(so->so_lock == NULL);
+ mutex_obj_hold(key_so_mtx);
+ so->so_lock = key_so_mtx;
+ solock(so);
+ }
error = raw_attach(so, proto, _rawcb);
if (error) {
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Wed May 29 15:57:38 UTC 2019 Modified Files: src/sys/netipsec [netbsd-8]: ipsecif.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #1273): sys/netipsec/ipsecif.c: revision 1.16 Don't clear calculated Tx tos value for IPv[46] over IPv6. To generate a diff of this commit: cvs rdiff -u -r1.1.2.7 -r1.1.2.8 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsecif.c diff -u src/sys/netipsec/ipsecif.c:1.1.2.7 src/sys/netipsec/ipsecif.c:1.1.2.8 --- src/sys/netipsec/ipsecif.c:1.1.2.7 Thu May 17 14:07:03 2018 +++ src/sys/netipsec/ipsecif.c Wed May 29 15:57:38 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsecif.c,v 1.1.2.7 2018/05/17 14:07:03 martin Exp $ */ +/* $NetBSD: ipsecif.c,v 1.1.2.8 2019/05/29 15:57:38 martin Exp $ */ /* * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -27,7 +27,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.7 2018/05/17 14:07:03 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.8 2019/05/29 15:57:38 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -557,13 +557,13 @@ ipsecif6_output(struct ipsec_variant *va return ENETUNREACH; } #ifndef IPSEC_TX_TOS_CLEAR + if (!ip6_ipsec_copy_tos) + otos = 0; + if (ifp->if_flags & IFF_ECN) ip_ecn_ingress(ECN_ALLOWED, , ); else ip_ecn_ingress(ECN_NOCARE, , ); - - if (!ip6_ipsec_copy_tos) - otos = 0; #else if (ip6_ipsec_copy_tos) otos = itos;
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Sat Aug 25 14:35:22 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: key.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #986): sys/netipsec/key.c: revision 1.257 Don't call key_ismyaddr, which may sleep, in a pserialize read section Use mutex here instead of pserialize because using mutex is simpler than using psz+ref, which is another solution, and key_checkspidup isn't called in any performance-sensitive paths. To generate a diff of this commit: cvs rdiff -u -r1.163.2.9 -r1.163.2.10 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Sat Aug 25 14:35:22 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: key.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #986):
sys/netipsec/key.c: revision 1.257
Don't call key_ismyaddr, which may sleep, in a pserialize read section
Use mutex here instead of pserialize because using mutex is simpler than
using psz+ref, which is another solution, and key_checkspidup isn't called in
any performance-sensitive paths.
To generate a diff of this commit:
cvs rdiff -u -r1.163.2.9 -r1.163.2.10 src/sys/netipsec/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.9 src/sys/netipsec/key.c:1.163.2.10
--- src/sys/netipsec/key.c:1.163.2.9 Wed Apr 18 14:06:24 2018
+++ src/sys/netipsec/key.c Sat Aug 25 14:35:21 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.163.2.9 2018/04/18 14:06:24 martin Exp $ */
+/* $NetBSD: key.c,v 1.163.2.10 2018/08/25 14:35:21 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.9 2018/04/18 14:06:24 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.10 2018/08/25 14:35:21 martin Exp $");
/*
* This code is referred to RFC 2367
@@ -3458,7 +3458,6 @@ key_checkspidup(const struct secasindex
{
struct secashead *sah;
struct secasvar *sav;
- int s;
/* check address family */
if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) {
@@ -3467,18 +3466,19 @@ key_checkspidup(const struct secasindex
}
/* check all SAD */
- s = pserialize_read_enter();
- SAHLIST_READER_FOREACH(sah) {
+ /* key_ismyaddr may sleep, so use mutex, not pserialize, here. */
+ mutex_enter(_sad.lock);
+ SAHLIST_WRITER_FOREACH(sah) {
if (!key_ismyaddr((struct sockaddr *)>saidx.dst))
continue;
sav = key_getsavbyspi(sah, spi);
if (sav != NULL) {
- pserialize_read_exit(s);
KEY_SA_UNREF();
+ mutex_exit(_sad.lock);
return true;
}
}
- pserialize_read_exit(s);
+ mutex_exit(_sad.lock);
return false;
}
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Fri Jun 22 17:54:47 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: xform_ah.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #889):
sys/netinet6/ip6_output.c: revision 1.205
sys/netipsec/xform_ah.c: revision 1.90,1.93,1.102,1.103
Simplify the IPv4 parser. Get the option length in 'optlen', and sanitize
it earlier. A new check is added (off + optlen > skip).
In the IPv6 parser we reuse 'optlen', and remove 'ad' as a result.
Remove the kernel RH0 code. RH0 is deprecated by RFC5095, for security
reasons. RH0 was already removed in the kernel's input path, but some
parts were still present in the output path: they are now removed.
Sent on tech-net@ a few days ago.
Fix non-INET6 builds
Strengthen and simplify, once more.
To generate a diff of this commit:
cvs rdiff -u -r1.54.2.6 -r1.54.2.7 src/sys/netipsec/xform_ah.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.54.2.6 src/sys/netipsec/xform_ah.c:1.54.2.7
--- src/sys/netipsec/xform_ah.c:1.54.2.6 Sun Apr 1 08:48:39 2018
+++ src/sys/netipsec/xform_ah.c Fri Jun 22 17:54:47 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.54.2.6 2018/04/01 08:48:39 martin Exp $ */
+/* $NetBSD: xform_ah.c,v 1.54.2.7 2018/06/22 17:54:47 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.6 2018/04/01 08:48:39 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.7 2018/06/22 17:54:47 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -276,15 +276,15 @@ ah_massage_headers(struct mbuf **m0, int
{
struct mbuf *m = *m0;
unsigned char *ptr;
- int off, count;
+ int off, optlen;
#ifdef INET
struct ip *ip;
#endif
#ifdef INET6
+ int count, ip6optlen;
struct ip6_ext *ip6e;
struct ip6_hdr ip6;
- struct ip6_rthdr *rh;
- int alloc, ad, nxt;
+ int alloc, nxt;
#endif
switch (proto) {
@@ -339,56 +339,32 @@ ah_massage_headers(struct mbuf **m0, int
/* IPv4 option processing */
for (off = sizeof(struct ip); off < skip;) {
- if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
- off + 1 < skip)
-;
- else {
-DPRINTF(("%s: illegal IPv4 option length for "
-"option %d\n", __func__, ptr[off]));
-
+ if (ptr[off] == IPOPT_EOL) {
+break;
+ } else if (ptr[off] == IPOPT_NOP) {
+optlen = 1;
+ } else if (off + 1 < skip) {
+optlen = ptr[off + 1];
+if (optlen < 2 || off + optlen > skip) {
+ m_freem(m);
+ return EINVAL;
+}
+ } else {
m_freem(m);
return EINVAL;
}
switch (ptr[off]) {
- case IPOPT_EOL:
-off = skip; /* End the loop. */
-break;
-
case IPOPT_NOP:
-off++;
-break;
-
- case IPOPT_SECURITY: /* 0x82 */
+ case IPOPT_SECURITY:
case 0x85: /* Extended security. */
case 0x86: /* Commercial security. */
case 0x94: /* Router alert */
case 0x95: /* RFC1770 */
-/* Sanity check for option length. */
-if (ptr[off + 1] < 2) {
- DPRINTF(("%s: illegal IPv4 option "
- "length for option %d\n", __func__,
- ptr[off]));
-
- m_freem(m);
- return EINVAL;
-}
-
-off += ptr[off + 1];
break;
case IPOPT_LSRR:
case IPOPT_SSRR:
-/* Sanity check for option length. */
-if (ptr[off + 1] < 2) {
- DPRINTF(("%s: illegal IPv4 option "
- "length for option %d\n", __func__,
- ptr[off]));
-
- m_freem(m);
- return EINVAL;
-}
-
/*
* On output, if we have either of the
* source routing options, we should
@@ -400,32 +376,21 @@ ah_massage_headers(struct mbuf **m0, int
*/
if (out)
memcpy(>ip_dst,
- ptr + off + ptr[off + 1] -
+ ptr + off + optlen -
sizeof(struct in_addr),
sizeof(struct in_addr));
+/* FALLTHROUGH */
-/* Fall through */
default:
-/* Sanity check for option length. */
-if (ptr[off + 1] < 2) {
- DPRINTF(("%s: illegal IPv4 option "
- "length for option %d\n", __func__,
- ptr[off]));
- m_freem(m);
- return EINVAL;
-}
-
/* Zeroize all other options. */
-count = ptr[off + 1];
-memcpy(ptr + off, ipseczeroes, count);
-off += count;
+memcpy(ptr + off, ipseczeroes, optlen);
break;
}
+ off += optlen;
+
/* Sanity check. */
if (off > skip) {
-DPRINTF(("%s: malformed IPv4 options header\n",
- __func__));
m_freem(m);
return EINVAL;
}
@@ -460,11 +425,12 @@ ah_massage_headers(struct mbuf **m0, int
/* Done with IPv6 header. */
m_copyback(m, 0, sizeof(struct ip6_hdr), );
+ ip6optlen = skip - sizeof(struct
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Jun 22 17:54:47 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #889): sys/netinet6/ip6_output.c: revision 1.205 sys/netipsec/xform_ah.c: revision 1.90,1.93,1.102,1.103 Simplify the IPv4 parser. Get the option length in 'optlen', and sanitize it earlier. A new check is added (off + optlen > skip). In the IPv6 parser we reuse 'optlen', and remove 'ad' as a result. Remove the kernel RH0 code. RH0 is deprecated by RFC5095, for security reasons. RH0 was already removed in the kernel's input path, but some parts were still present in the output path: they are now removed. Sent on tech-net@ a few days ago. Fix non-INET6 builds Strengthen and simplify, once more. To generate a diff of this commit: cvs rdiff -u -r1.54.2.6 -r1.54.2.7 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Sat May 5 19:31:33 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: ipsec_output.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #799):
sys/netipsec/ipsec_output.c: revision 1.75
sys/netipsec/ipsec_output.c: revision 1.67
Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).
Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.
Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.
To generate a diff of this commit:
cvs rdiff -u -r1.48.2.2 -r1.48.2.3 src/sys/netipsec/ipsec_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.48.2.2 src/sys/netipsec/ipsec_output.c:1.48.2.3
--- src/sys/netipsec/ipsec_output.c:1.48.2.2 Tue Jan 2 10:20:34 2018
+++ src/sys/netipsec/ipsec_output.c Sat May 5 19:31:33 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.48.2.2 2018/01/02 10:20:34 snj Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.48.2.3 2018/05/05 19:31:33 martin Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.48.2.2 2018/01/02 10:20:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.48.2.3 2018/05/05 19:31:33 martin Exp $");
/*
* IPsec output processing.
@@ -633,7 +633,7 @@ bad:
#endif
#ifdef INET6
-static void
+static int
compute_ipsec_pos(struct mbuf *m, int *i, int *off)
{
int nxt;
@@ -650,7 +650,11 @@ compute_ipsec_pos(struct mbuf *m, int *i
* put AH/ESP/IPcomp header.
* IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
*/
- do {
+ while (1) {
+ if (*i + sizeof(ip6e) > m->m_pkthdr.len) {
+ return EINVAL;
+ }
+
switch (nxt) {
case IPPROTO_AH:
case IPPROTO_ESP:
@@ -659,7 +663,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
* we should not skip security header added
* beforehand.
*/
- return;
+ return 0;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
@@ -669,7 +673,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
* we should stop there.
*/
if (nxt == IPPROTO_DSTOPTS && dstopt)
-return;
+return 0;
if (nxt == IPPROTO_DSTOPTS) {
/*
@@ -689,16 +693,14 @@ compute_ipsec_pos(struct mbuf *m, int *i
m_copydata(m, *i, sizeof(ip6e), );
nxt = ip6e.ip6e_nxt;
*off = *i + offsetof(struct ip6_ext, ip6e_nxt);
- /*
- * we will never see nxt == IPPROTO_AH
- * so it is safe to omit AH case.
- */
*i += (ip6e.ip6e_len + 1) << 3;
break;
default:
- return;
+ return 0;
}
- } while (*i < m->m_pkthdr.len);
+ }
+
+ return 0;
}
static int
@@ -802,7 +804,9 @@ ipsec6_process_packet(
i = ip->ip_hl << 2;
off = offsetof(struct ip, ip_p);
} else {
- compute_ipsec_pos(m, , );
+ error = compute_ipsec_pos(m, , );
+ if (error)
+ goto unrefsav;
}
error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
KEY_SA_UNREF();
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Sat May 5 19:31:33 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec_output.c Log Message: Pull up following revision(s) (requested by maxv in ticket #799): sys/netipsec/ipsec_output.c: revision 1.75 sys/netipsec/ipsec_output.c: revision 1.67 Strengthen this check, to make sure there is room for an ip6_ext structure. Seems possible to crash m_copydata here (but I didn't test more than that). Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely. To generate a diff of this commit: cvs rdiff -u -r1.48.2.2 -r1.48.2.3 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Wed Apr 18 14:06:24 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: key.c keydb.h
Log Message:
Pull up following revision(s) (requested by yamaguchi in ticket #776):
sys/netipsec/key.c: revision 1.251-1.253
sys/netipsec/keydb.h: revision 1.22
Introduced a hash table to sahlist
An saidx of sah included in the list is unique so that
the search can use a hash list whose hash is calculated by
the saidx to find an sah quickly.
The hash list of the sahlits is used in FreeBSD, too.
reviewed by ozaki-r@n.o, thanks.
Added a lookup table to find an sav quickly
key_sad.sahlists doesn't work well for inbound packets because
its key includes source address. For the reason, the
look-up-table for the inbound packets is newly added.
The table has all sav whose state is MATURE or DYING and uses a
key calculated by destination address, protocol, and spi instead
of saidx.
reviewd ozaki-r@n.o, thanks.
Fix panic of SADB when the state of sav is changed in timeout
pointed out by ozaki-r@n.o, thanks
To generate a diff of this commit:
cvs rdiff -u -r1.163.2.8 -r1.163.2.9 src/sys/netipsec/key.c
cvs rdiff -u -r1.15.2.2 -r1.15.2.3 src/sys/netipsec/keydb.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.8 src/sys/netipsec/key.c:1.163.2.9
--- src/sys/netipsec/key.c:1.163.2.8 Mon Apr 16 14:31:44 2018
+++ src/sys/netipsec/key.c Wed Apr 18 14:06:24 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.163.2.8 2018/04/16 14:31:44 martin Exp $ */
+/* $NetBSD: key.c,v 1.163.2.9 2018/04/18 14:06:24 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.8 2018/04/16 14:31:44 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.9 2018/04/18 14:06:24 martin Exp $");
/*
* This code is referred to RFC 2367
@@ -72,6 +72,7 @@ __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.16
#include
#include
#include
+#include
#include
#include
@@ -122,6 +123,14 @@ __KERNEL_RCSID(0, "$NetBSD: key.c,v 1.16
#define PORT_LOOSE 1
#define PORT_STRICT 2
+#ifndef SAHHASH_NHASH
+#define SAHHASH_NHASH 128
+#endif
+
+#ifndef SAVLUT_NHASH
+#define SAVLUT_NHASH 128
+#endif
+
percpu_t *pfkeystat_percpu;
/*
@@ -204,20 +213,23 @@ static u_int32_t acq_seq = 0;
/*
* Locking notes on SAD:
* - Data structures
- * - SAs are managed by the list called key_sad.sahlist and sav lists of sah
- * entries
+ * - SAs are managed by the list called key_sad.sahlists and sav lists of
+ * sah entries
* - An sav is supposed to be an SA from a viewpoint of users
* - A sah has sav lists for each SA state
- * - Multiple sahs with the same saidx can exist
+ * - Multiple saves with the same saidx can exist
* - Only one entry has MATURE state and others should be DEAD
* - DEAD entries are just ignored from searching
- * - Modifications to the key_sad.sahlist and sah.savlist must be done with
- * holding key_sad.lock which is a adaptive mutex
- * - Read accesses to the key_sad.sahlist and sah.savlist must be in
- * pserialize(9) read sections
+ * - All sav whose state is MATURE or DYING are registered to the lookup
+ * table called key_sad.savlut in addition to the savlists.
+ * - The table is used to search an sav without use of saidx.
+ * - Modifications to the key_sad.sahlists, sah.savlist and key_sad.savlut
+ * must be done with holding key_sad.lock which is a adaptive mutex
+ * - Read accesses to the key_sad.sahlists, sah.savlist and key_sad.savlut
+ * must be in pserialize(9) read sections
* - sah's lifetime is managed by localcount(9)
* - Getting an sah entry
- * - We get an sah from the key_sad.sahlist
+ * - We get an sah from the key_sad.sahlists
* - Must iterate the list and increment the reference count of a found sah
* (by key_sah_ref) in a pserialize read section
* - A gotten sah must be released after use by key_sah_unref
@@ -261,7 +273,10 @@ static struct {
static struct {
kmutex_t lock;
kcondvar_t cv_lc;
- struct pslist_head sahlist;
+ struct pslist_head *sahlists;
+ u_long sahlistmask;
+ struct pslist_head *savlut;
+ u_long savlutmask;
pserialize_t psz;
kcondvar_t cv_psz;
@@ -341,13 +356,23 @@ static struct {
#define SAHLIST_WRITER_REMOVE(sah) \
PSLIST_WRITER_REMOVE((sah), pslist_entry)
#define SAHLIST_READER_FOREACH(sah) \
- PSLIST_READER_FOREACH((sah), _sad.sahlist, struct secashead,\
- pslist_entry)
+ for(int _i_sah = 0; _i_sah <= key_sad.sahlistmask; _i_sah++) \
+ PSLIST_READER_FOREACH((sah), _sad.sahlists[_i_sah], \
+ struct secashead, pslist_entry)
+#define
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Wed Apr 18 14:06:24 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: key.c keydb.h Log Message: Pull up following revision(s) (requested by yamaguchi in ticket #776): sys/netipsec/key.c: revision 1.251-1.253 sys/netipsec/keydb.h: revision 1.22 Introduced a hash table to sahlist An saidx of sah included in the list is unique so that the search can use a hash list whose hash is calculated by the saidx to find an sah quickly. The hash list of the sahlits is used in FreeBSD, too. reviewed by ozaki-r@n.o, thanks. Added a lookup table to find an sav quickly key_sad.sahlists doesn't work well for inbound packets because its key includes source address. For the reason, the look-up-table for the inbound packets is newly added. The table has all sav whose state is MATURE or DYING and uses a key calculated by destination address, protocol, and spi instead of saidx. reviewd ozaki-r@n.o, thanks. Fix panic of SADB when the state of sav is changed in timeout pointed out by ozaki-r@n.o, thanks To generate a diff of this commit: cvs rdiff -u -r1.163.2.8 -r1.163.2.9 src/sys/netipsec/key.c cvs rdiff -u -r1.15.2.2 -r1.15.2.3 src/sys/netipsec/keydb.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Tue Apr 17 15:06:20 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: ipsec_mbuf.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #773):
sys/netipsec/ipsec_mbuf.c: revision 1.23,1.24
Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
should, but it looks like there are several places that can put M_PKTHDR
on secondary mbufs (PR/53189), so drop this assumption right now to
prevent further bugs.
The check is replaced by (m1 != m), which is equivalent to the previous
code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
m_adj().
Fix a pretty bad mistake, that has always been there.
m_adj(m1, -(m1->m_len - roff));
if (m1 != m)
m->m_pkthdr.len -= (m1->m_len - roff);
This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
when manually adjusting m->m_pkthdr.len.
Because of that, it is possible to exploit the attack I described in
uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
reliably.
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.16.2.1 src/sys/netipsec/ipsec_mbuf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec_mbuf.c
diff -u src/sys/netipsec/ipsec_mbuf.c:1.16 src/sys/netipsec/ipsec_mbuf.c:1.16.2.1
--- src/sys/netipsec/ipsec_mbuf.c:1.16 Fri May 19 04:34:09 2017
+++ src/sys/netipsec/ipsec_mbuf.c Tue Apr 17 15:06:20 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_mbuf.c,v 1.16 2017/05/19 04:34:09 ozaki-r Exp $ */
+/* $NetBSD: ipsec_mbuf.c,v 1.16.2.1 2018/04/17 15:06:20 martin Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
* All rights reserved.
@@ -28,7 +28,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.16 2017/05/19 04:34:09 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_mbuf.c,v 1.16.2.1 2018/04/17 15:06:20 martin Exp $");
/*
* IPsec-specific mbuf routines.
@@ -403,10 +403,11 @@ m_striphdr(struct mbuf *m, int skip, int
/* The header was at the beginning of the mbuf */
IPSEC_STATINC(IPSEC_STAT_INPUT_FRONT);
m_adj(m1, hlen);
- if ((m1->m_flags & M_PKTHDR) == 0)
+ if (m1 != m)
m->m_pkthdr.len -= hlen;
} else if (roff + hlen >= m1->m_len) {
struct mbuf *mo;
+ int adjlen;
/*
* Part or all of the header is at the end of this mbuf,
@@ -415,11 +416,13 @@ m_striphdr(struct mbuf *m, int skip, int
*/
IPSEC_STATINC(IPSEC_STAT_INPUT_END);
if (roff + hlen > m1->m_len) {
+ adjlen = roff + hlen - m1->m_len;
+
/* Adjust the next mbuf by the remainder */
- m_adj(m1->m_next, roff + hlen - m1->m_len);
+ m_adj(m1->m_next, adjlen);
/* The second mbuf is guaranteed not to have a pkthdr... */
- m->m_pkthdr.len -= (roff + hlen - m1->m_len);
+ m->m_pkthdr.len -= adjlen;
}
/* Now, let's unlink the mbuf chain for a second...*/
@@ -427,9 +430,10 @@ m_striphdr(struct mbuf *m, int skip, int
m1->m_next = NULL;
/* ...and trim the end of the first part of the chain...sick */
- m_adj(m1, -(m1->m_len - roff));
- if ((m1->m_flags & M_PKTHDR) == 0)
- m->m_pkthdr.len -= (m1->m_len - roff);
+ adjlen = m1->m_len - roff;
+ m_adj(m1, -adjlen);
+ if (m1 != m)
+ m->m_pkthdr.len -= adjlen;
/* Finally, let's relink */
m1->m_next = mo;
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Tue Apr 17 15:06:20 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec_mbuf.c Log Message: Pull up following revision(s) (requested by maxv in ticket #773): sys/netipsec/ipsec_mbuf.c: revision 1.23,1.24 Don't assume M_PKTHDR is set only on the first mbuf of the chain. It should, but it looks like there are several places that can put M_PKTHDR on secondary mbufs (PR/53189), so drop this assumption right now to prevent further bugs. The check is replaced by (m1 != m), which is equivalent to the previous code: we want to modify m->m_pkthdr.len only when 'm' was not passed in m_adj(). Fix a pretty bad mistake, that has always been there. m_adj(m1, -(m1->m_len - roff)); if (m1 != m) m->m_pkthdr.len -= (m1->m_len - roff); This is wrong: m_adj will modify m1->m_len, so we're using a wrong value when manually adjusting m->m_pkthdr.len. Because of that, it is possible to exploit the attack I described in uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100% reliably. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.16.2.1 src/sys/netipsec/ipsec_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Mon Apr 16 14:31:44 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: key.c
Log Message:
Pull up following revision(s) (requested by yamaguchi in ticket #766):
sys/netipsec/key.c: revision 1.250
Removed the unnecessary order check of key_lookup_sa
key_prefered_oldsa flag can change the sa to use if an sah
has multiple sav. However the multiple saves whose protocol
is ah, esp, or tcp cannot exist because their duplications
are checked by the spi value. Although the multiple saves
can exist in the case of ipcomp, the values using in the
post processing are same between the saves.
For those reasons, it is no need to select an sav by its
lifetime.
In addition, FreeBSD has already remove this.
reviewed by ozaki-r@n.o, thanks.
To generate a diff of this commit:
cvs rdiff -u -r1.163.2.7 -r1.163.2.8 src/sys/netipsec/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.7 src/sys/netipsec/key.c:1.163.2.8
--- src/sys/netipsec/key.c:1.163.2.7 Wed Mar 7 13:46:41 2018
+++ src/sys/netipsec/key.c Mon Apr 16 14:31:44 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.163.2.7 2018/03/07 13:46:41 martin Exp $ */
+/* $NetBSD: key.c,v 1.163.2.8 2018/04/16 14:31:44 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.7 2018/03/07 13:46:41 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.8 2018/04/16 14:31:44 martin Exp $");
/*
* This code is referred to RFC 2367
@@ -427,6 +427,12 @@ static const u_int saorder_state_any[] =
_i < __arraycount(saorder_state_any) ? \
(s) = saorder_state_any[_i], true : false; \
_i++)
+#define SASTATE_USABLE_FOREACH(s)\
+ for (int _i = 0; \
+ _i < __arraycount(saorder_state_valid_prefer_new) ? \
+ (s) = saorder_state_valid_prefer_new[_i], \
+ true : false; \
+ _i++)
static const int minsize[] = {
sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */
@@ -1199,9 +1205,8 @@ key_lookup_sa(
{
struct secashead *sah;
struct secasvar *sav;
- u_int stateidx, state;
- const u_int *saorder_state_valid;
- int arraysize, chkport;
+ u_int state;
+ int chkport;
int s;
int must_check_spi = 1;
@@ -1245,18 +1250,10 @@ key_lookup_sa(
* IPsec tunnel packet is received. But ESP tunnel mode is
* encrypted so we can't check internal IP header.
*/
- if (key_prefered_oldsa) {
- saorder_state_valid = saorder_state_valid_prefer_old;
- arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
- } else {
- saorder_state_valid = saorder_state_valid_prefer_new;
- arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
- }
s = pserialize_read_enter();
SAHLIST_READER_FOREACH(sah) {
/* search valid state */
- for (stateidx = 0; stateidx < arraysize; stateidx++) {
- state = saorder_state_valid[stateidx];
+ SASTATE_USABLE_FOREACH(state) {
SAVLIST_READER_FOREACH(sav, sah, state) {
KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
"try match spi %#x, %#x\n",
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Mon Apr 16 14:31:44 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: key.c Log Message: Pull up following revision(s) (requested by yamaguchi in ticket #766): sys/netipsec/key.c: revision 1.250 Removed the unnecessary order check of key_lookup_sa key_prefered_oldsa flag can change the sa to use if an sah has multiple sav. However the multiple saves whose protocol is ah, esp, or tcp cannot exist because their duplications are checked by the spi value. Although the multiple saves can exist in the case of ipcomp, the values using in the post processing are same between the saves. For those reasons, it is no need to select an sav by its lifetime. In addition, FreeBSD has already remove this. reviewed by ozaki-r@n.o, thanks. To generate a diff of this commit: cvs rdiff -u -r1.163.2.7 -r1.163.2.8 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Sun Apr 1 08:48:39 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: xform_ah.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #680):
sys/netipsec/xform_ah.c: revision 1.87
sys/netipsec/xform_ah.c: revision 1.77
Reinforce and clarify.
Reinforce this area, make sure the length field fits the option. Normally
it always does because the options were already sanitized earlier.
To generate a diff of this commit:
cvs rdiff -u -r1.54.2.5 -r1.54.2.6 src/sys/netipsec/xform_ah.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.54.2.5 src/sys/netipsec/xform_ah.c:1.54.2.6
--- src/sys/netipsec/xform_ah.c:1.54.2.5 Mon Feb 26 18:42:49 2018
+++ src/sys/netipsec/xform_ah.c Sun Apr 1 08:48:39 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.54.2.5 2018/02/26 18:42:49 martin Exp $ */
+/* $NetBSD: xform_ah.c,v 1.54.2.6 2018/04/01 08:48:39 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.5 2018/02/26 18:42:49 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.6 2018/04/01 08:48:39 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -491,54 +491,48 @@ ah_massage_headers(struct mbuf **m0, int
nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
- for (off = 0; off < skip - sizeof(struct ip6_hdr);)
+ for (off = 0; off < skip - sizeof(struct ip6_hdr);) {
+ int noff;
+
switch (nxt) {
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
-ip6e = (struct ip6_ext *) (ptr + off);
+ip6e = (struct ip6_ext *)(ptr + off);
+noff = off + ((ip6e->ip6e_len + 1) << 3);
+
+/* Sanity check. */
+if (noff > skip - sizeof(struct ip6_hdr)) {
+ goto error6;
+}
/*
- * Process the mutable/immutable
- * options -- borrows heavily from the
- * KAME code.
+ * Zero out mutable options.
*/
for (count = off + sizeof(struct ip6_ext);
- count < off + ((ip6e->ip6e_len + 1) << 3);) {
+ count < noff;) {
if (ptr[count] == IP6OPT_PAD1) {
count++;
- continue; /* Skip padding. */
+ continue;
}
- /* Sanity check. */
- if (count > off +
- ((ip6e->ip6e_len + 1) << 3)) {
- m_freem(m);
-
- /* Free, if we allocated. */
- if (alloc)
- free(ptr, M_XDATA);
- return EINVAL;
+ if (count + 1 >= noff) {
+ goto error6;
}
-
ad = ptr[count + 1] + 2;
- /* If mutable option, zeroize. */
- if (ptr[count] & IP6OPT_MUTABLE)
- memcpy(ptr + count, ipseczeroes,
- ad);
+ if (count + ad > noff) {
+ goto error6;
+ }
+
+ if (ptr[count] & IP6OPT_MUTABLE) {
+ memset(ptr + count, 0, ad);
+ }
count += ad;
+}
- /* Sanity check. */
- if (count >
- skip - sizeof(struct ip6_hdr)) {
- m_freem(m);
-
- /* Free, if we allocated. */
- if (alloc)
- free(ptr, M_XDATA);
- return EINVAL;
- }
+if (count != noff) {
+ goto error6;
}
/* Advance. */
@@ -551,7 +545,7 @@ ah_massage_headers(struct mbuf **m0, int
* Always include routing headers in
* computation.
*/
-ip6e = (struct ip6_ext *) (ptr + off);
+ip6e = (struct ip6_ext *)(ptr + off);
rh = (struct ip6_rthdr *)(ptr + off);
/*
* must adjust content to make it look like
@@ -592,11 +586,13 @@ ah_massage_headers(struct mbuf **m0, int
default:
DPRINTF(("%s: unexpected IPv6 header type %d\n",
__func__, off));
+error6:
if (alloc)
free(ptr, M_XDATA);
m_freem(m);
return EINVAL;
}
+ }
/* Copyback and free, if we allocated. */
if (alloc) {
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Sun Apr 1 08:48:39 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #680): sys/netipsec/xform_ah.c: revision 1.87 sys/netipsec/xform_ah.c: revision 1.77 Reinforce and clarify. Reinforce this area, make sure the length field fits the option. Normally it always does because the options were already sanitized earlier. To generate a diff of this commit: cvs rdiff -u -r1.54.2.5 -r1.54.2.6 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Sat Mar 31 10:46:20 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #677): sys/netipsec/ipsec_input.c: revision 1.55 Fix the iteration: IPPROTO_FRAGMENT options are special, in the sense that they don't have a 'length' field. It is therefore incorrect to read ip6e.ip6e_len, it contains garbage. I'm not sure whether this an exploitable vulnerability. Because of this bug you could theoretically craft 'protoff', which means that you can have the kernel patch the nxt value at the wrong place once the packet is decrypted. Perhaps it can be used in some unusual MITM - a router that happens to be between two IPsec hosts adds a frag6 option in the outer IPv6 header to trigger the bug in the receiver -, but I couldn't come up with anything worrying. To generate a diff of this commit: cvs rdiff -u -r1.43.2.4 -r1.43.2.5 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.43.2.4 src/sys/netipsec/ipsec_input.c:1.43.2.5 --- src/sys/netipsec/ipsec_input.c:1.43.2.4 Fri Mar 30 11:45:58 2018 +++ src/sys/netipsec/ipsec_input.c Sat Mar 31 10:46:20 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.43.2.4 2018/03/30 11:45:58 martin Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.43.2.5 2018/03/31 10:46:20 martin Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.43.2.4 2018/03/30 11:45:58 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.43.2.5 2018/03/31 10:46:20 martin Exp $"); /* * IPsec input processing. @@ -507,6 +507,8 @@ ipsec6_common_input(struct mbuf **mp, in if (nxt == IPPROTO_AH) l = (ip6e.ip6e_len + 2) << 2; + else if (nxt == IPPROTO_FRAGMENT) +l = sizeof(struct ip6_frag); else l = (ip6e.ip6e_len + 1) << 3; KASSERT(l > 0);
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Sat Mar 31 10:46:20 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #677): sys/netipsec/ipsec_input.c: revision 1.55 Fix the iteration: IPPROTO_FRAGMENT options are special, in the sense that they don't have a 'length' field. It is therefore incorrect to read ip6e.ip6e_len, it contains garbage. I'm not sure whether this an exploitable vulnerability. Because of this bug you could theoretically craft 'protoff', which means that you can have the kernel patch the nxt value at the wrong place once the packet is decrypted. Perhaps it can be used in some unusual MITM - a router that happens to be between two IPsec hosts adds a frag6 option in the outer IPv6 header to trigger the bug in the receiver -, but I couldn't come up with anything worrying. To generate a diff of this commit: cvs rdiff -u -r1.43.2.4 -r1.43.2.5 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Fri Mar 30 11:53:13 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: xform_esp.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #670):
sys/netipsec/xform_esp.c: revision 1.73
Add missing NULL check. Normally that's not triggerable remotely, since we
are guaranteed that 8 bytes are valid at mbuf+skip.
To generate a diff of this commit:
cvs rdiff -u -r1.55.2.2 -r1.55.2.3 src/sys/netipsec/xform_esp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.55.2.2 src/sys/netipsec/xform_esp.c:1.55.2.3
--- src/sys/netipsec/xform_esp.c:1.55.2.2 Mon Feb 26 13:10:52 2018
+++ src/sys/netipsec/xform_esp.c Fri Mar 30 11:53:13 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.55.2.2 2018/02/26 13:10:52 martin Exp $ */
+/* $NetBSD: xform_esp.c,v 1.55.2.3 2018/03/30 11:53:13 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.55.2.2 2018/02/26 13:10:52 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.55.2.3 2018/03/30 11:53:13 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -319,6 +319,10 @@ esp_input(struct mbuf *m, struct secasva
/* XXX don't pullup, just copy header */
IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof(struct newesp));
+ if (esp == NULL) {
+ /* m already freed */
+ return EINVAL;
+ }
esph = sav->tdb_authalgxform;
espx = sav->tdb_encalgxform;
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Mar 30 11:53:13 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_esp.c Log Message: Pull up following revision(s) (requested by maxv in ticket #670): sys/netipsec/xform_esp.c: revision 1.73 Add missing NULL check. Normally that's not triggerable remotely, since we are guaranteed that 8 bytes are valid at mbuf+skip. To generate a diff of this commit: cvs rdiff -u -r1.55.2.2 -r1.55.2.3 src/sys/netipsec/xform_esp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Mar 30 11:50:56 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #669): sys/netipsec/ipsec.c: revision 1.134 Fix ipsec4_get_ulp(). We should do "goto done" instead of "return", otherwise the port fields of spidx are uninitialized. ok mlelstv@ To generate a diff of this commit: cvs rdiff -u -r1.99.2.4 -r1.99.2.5 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.99.2.4 src/sys/netipsec/ipsec.c:1.99.2.5 --- src/sys/netipsec/ipsec.c:1.99.2.4 Fri Feb 16 16:35:18 2018 +++ src/sys/netipsec/ipsec.c Fri Mar 30 11:50:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.99.2.4 2018/02/16 16:35:18 martin Exp $ */ +/* $NetBSD: ipsec.c,v 1.99.2.5 2018/03/30 11:50:56 martin Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.99.2.4 2018/02/16 16:35:18 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.99.2.5 2018/03/30 11:50:56 martin Exp $"); /* * IPsec controller part. @@ -1070,7 +1070,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se case IPPROTO_ICMP: spidx->ul_proto = nxt; if (off + sizeof(struct icmp) > m->m_pkthdr.len) -return; +goto done; m_copydata(m, off, sizeof(icmph), ); ((struct sockaddr_in *)>src)->sin_port = htons((uint16_t)icmph.icmp_type);
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Mar 30 11:50:56 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #669): sys/netipsec/ipsec.c: revision 1.134 Fix ipsec4_get_ulp(). We should do "goto done" instead of "return", otherwise the port fields of spidx are uninitialized. ok mlelstv@ To generate a diff of this commit: cvs rdiff -u -r1.99.2.4 -r1.99.2.5 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Mar 30 11:45:58 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec_input.c Log Message: Pull up following revision(s) (requested by maxv in ticket #667): sys/netipsec/ipsec_input.c: revision 1.54 ipsec4_fixup_checksum calls m_pullup, so don't forget to do mtod() again, to prevent use-after-free. In fact, the m_pullup call is never reached: it is impossible for 'skip' to be zero in this function, so add an XXX for now. To generate a diff of this commit: cvs rdiff -u -r1.43.2.3 -r1.43.2.4 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Fri Mar 30 11:45:58 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: ipsec_input.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #667):
sys/netipsec/ipsec_input.c: revision 1.54
ipsec4_fixup_checksum calls m_pullup, so don't forget to do mtod() again,
to prevent use-after-free.
In fact, the m_pullup call is never reached: it is impossible for 'skip'
to be zero in this function, so add an XXX for now.
To generate a diff of this commit:
cvs rdiff -u -r1.43.2.3 -r1.43.2.4 src/sys/netipsec/ipsec_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.43.2.3 src/sys/netipsec/ipsec_input.c:1.43.2.4
--- src/sys/netipsec/ipsec_input.c:1.43.2.3 Tue Mar 6 09:21:35 2018
+++ src/sys/netipsec/ipsec_input.c Fri Mar 30 11:45:58 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.43.2.3 2018/03/06 09:21:35 martin Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.43.2.4 2018/03/30 11:45:58 martin Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.43.2.3 2018/03/06 09:21:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.43.2.4 2018/03/30 11:45:58 martin Exp $");
/*
* IPsec input processing.
@@ -370,6 +370,7 @@ cantpull:
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
} else {
+ /* XXX this branch is never taken */
ip = mtod(m, struct ip *);
}
@@ -381,6 +382,7 @@ cantpull:
m = ipsec4_fixup_checksum(m);
if (m == NULL)
goto cantpull;
+ ip = mtod(m, struct ip *);
prot = ip->ip_p;
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Wed Mar 7 13:46:42 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: key.c keydb.h
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #609):
sys/netipsec/key.c: revision 1.249
sys/netipsec/keydb.h: revision 1.21
Avoid data races on lifetime counters by using percpu(9)
We don't make them percpu(9) directly because the structure is exposed to
userland and we don't want to break ABI. So we add another member variable
for percpu(9) and use it internally. When we export them to userland, they
are converted to the original format.
To generate a diff of this commit:
cvs rdiff -u -r1.163.2.6 -r1.163.2.7 src/sys/netipsec/key.c
cvs rdiff -u -r1.15.2.1 -r1.15.2.2 src/sys/netipsec/keydb.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.6 src/sys/netipsec/key.c:1.163.2.7
--- src/sys/netipsec/key.c:1.163.2.6 Sun Feb 11 21:17:34 2018
+++ src/sys/netipsec/key.c Wed Mar 7 13:46:41 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.163.2.6 2018/02/11 21:17:34 snj Exp $ */
+/* $NetBSD: key.c,v 1.163.2.7 2018/03/07 13:46:41 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.6 2018/02/11 21:17:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.7 2018/03/07 13:46:41 martin Exp $");
/*
* This code is referred to RFC 2367
@@ -788,6 +788,26 @@ static struct callout key_timehandler_ch
static struct workqueue *key_timehandler_wq;
static struct work key_timehandler_wk;
+/*
+ * Utilities for percpu counters for sadb_lifetime_allocations and
+ * sadb_lifetime_bytes.
+ */
+#define LIFETIME_COUNTER_ALLOCATIONS 0
+#define LIFETIME_COUNTER_BYTES 1
+#define LIFETIME_COUNTER_SIZE 2
+
+typedef uint64_t lifetime_counters_t[LIFETIME_COUNTER_SIZE];
+
+static void
+key_sum_lifetime_counters(void *p, void *arg, struct cpu_info *ci __unused)
+{
+ lifetime_counters_t *one = p;
+ lifetime_counters_t *sum = arg;
+
+ (*sum)[LIFETIME_COUNTER_ALLOCATIONS] += (*one)[LIFETIME_COUNTER_ALLOCATIONS];
+ (*sum)[LIFETIME_COUNTER_BYTES] += (*one)[LIFETIME_COUNTER_BYTES];
+}
+
u_int
key_sp_refcnt(const struct secpolicy *sp)
{
@@ -3260,6 +3280,8 @@ key_newsav(struct mbuf *m, const struct
/* We don't allow lft_c to be NULL */
newsav->lft_c = kmem_zalloc(sizeof(struct sadb_lifetime),
KM_SLEEP);
+ newsav->lft_c_counters_percpu =
+ percpu_alloc(sizeof(lifetime_counters_t));
}
/* reset created */
@@ -3470,6 +3492,10 @@ key_freesaval(struct secasvar *sav)
kmem_intr_free(sav->key_auth, sav->key_auth_len);
if (sav->key_enc != NULL)
kmem_intr_free(sav->key_enc, sav->key_enc_len);
+ if (sav->lft_c_counters_percpu != NULL) {
+ percpu_free(sav->lft_c_counters_percpu,
+ sizeof(lifetime_counters_t));
+ }
if (sav->lft_c != NULL)
kmem_intr_free(sav->lft_c, sizeof(*(sav->lft_c)));
if (sav->lft_h != NULL)
@@ -3638,6 +3664,8 @@ key_setsaval(struct secasvar *sav, struc
sav->lft_c->sadb_lifetime_addtime = time_uptime;
sav->lft_c->sadb_lifetime_usetime = 0;
+ sav->lft_c_counters_percpu = percpu_alloc(sizeof(lifetime_counters_t));
+
/* lifetimes for HARD and SOFT */
{
const struct sadb_lifetime *lft0;
@@ -3821,7 +3849,9 @@ key_setdumpsa(struct secasvar *sav, u_in
p = sav->key_enc;
break;
- case SADB_EXT_LIFETIME_CURRENT:
+ case SADB_EXT_LIFETIME_CURRENT: {
+ lifetime_counters_t sum = {0};
+
KASSERT(sav->lft_c != NULL);
l = PFKEY_UNUNIT64(((struct sadb_ext *)sav->lft_c)->sadb_ext_len);
memcpy(, sav->lft_c, sizeof(struct sadb_lifetime));
@@ -3829,8 +3859,15 @@ key_setdumpsa(struct secasvar *sav, u_in
time_mono_to_wall(lt.sadb_lifetime_addtime);
lt.sadb_lifetime_usetime =
time_mono_to_wall(lt.sadb_lifetime_usetime);
+ percpu_foreach(sav->lft_c_counters_percpu,
+ key_sum_lifetime_counters, sum);
+ lt.sadb_lifetime_allocations =
+ sum[LIFETIME_COUNTER_ALLOCATIONS];
+ lt.sadb_lifetime_bytes =
+ sum[LIFETIME_COUNTER_BYTES];
p =
break;
+ }
case SADB_EXT_LIFETIME_HARD:
if (!sav->lft_h)
@@ -4860,9 +4897,17 @@ restart:
* when new SA is installed. Caution when it's
* installed too big lifetime by time.
*/
- else if (sav->lft_s->sadb_lifetime_bytes != 0 &&
- sav->lft_s->sadb_lifetime_bytes <
- sav->lft_c->sadb_lifetime_bytes) {
+ else {
+uint64_t lft_c_bytes = 0;
+lifetime_counters_t sum = {0};
+
+percpu_foreach(sav->lft_c_counters_percpu,
+key_sum_lifetime_counters, sum);
+lft_c_bytes = sum[LIFETIME_COUNTER_BYTES];
+
+if (sav->lft_s->sadb_lifetime_bytes == 0 ||
+sav->lft_s->sadb_lifetime_bytes >=
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Wed Mar 7 13:46:42 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: key.c keydb.h Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #609): sys/netipsec/key.c: revision 1.249 sys/netipsec/keydb.h: revision 1.21 Avoid data races on lifetime counters by using percpu(9) We don't make them percpu(9) directly because the structure is exposed to userland and we don't want to break ABI. So we add another member variable for percpu(9) and use it internally. When we export them to userland, they are converted to the original format. To generate a diff of this commit: cvs rdiff -u -r1.163.2.6 -r1.163.2.7 src/sys/netipsec/key.c cvs rdiff -u -r1.15.2.1 -r1.15.2.2 src/sys/netipsec/keydb.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Tue Mar 6 11:17:55 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: ipsecif.c
Log Message:
Pull up following revision(s) (requested by knakahara in ticket #607):
sys/netipsec/ipsecif.c: revision 1.3
Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks.
XXX need pullup-8
To generate a diff of this commit:
cvs rdiff -u -r1.1.2.2 -r1.1.2.3 src/sys/netipsec/ipsecif.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsecif.c
diff -u src/sys/netipsec/ipsecif.c:1.1.2.2 src/sys/netipsec/ipsecif.c:1.1.2.3
--- src/sys/netipsec/ipsecif.c:1.1.2.2 Sun Feb 11 21:17:34 2018
+++ src/sys/netipsec/ipsecif.c Tue Mar 6 11:17:55 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsecif.c,v 1.1.2.2 2018/02/11 21:17:34 snj Exp $ */
+/* $NetBSD: ipsecif.c,v 1.1.2.3 2018/03/06 11:17:55 martin Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.2 2018/02/11 21:17:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.3 2018/03/06 11:17:55 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -266,7 +266,7 @@ ipsecif4_fragout(struct ipsec_variant *v
for (error = 0; m; m = next) {
next = m->m_nextpkt;
- m->m_next = NULL;
+ m->m_nextpkt = NULL;
if (error) {
m_freem(m);
continue;
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Tue Mar 6 11:17:55 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsecif.c Log Message: Pull up following revision(s) (requested by knakahara in ticket #607): sys/netipsec/ipsecif.c: revision 1.3 Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks. XXX need pullup-8 To generate a diff of this commit: cvs rdiff -u -r1.1.2.2 -r1.1.2.3 src/sys/netipsec/ipsecif.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Tue Mar 6 09:21:35 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: ipsec_input.c
Log Message:
Pull up following revision(s) (requested by maxv):
sys/netipsec/ipsec_input.c: revision 1.57
sys/netipsec/ipsec_input.c: revision 1.58
Extend these #ifdef notyet. The m_copydata's in these branches are wrong,
we are not guaranteed to have enough room for another struct ip, and we
may crash here. Triggerable remotely, but after authentication, by sending
an AH packet that has a one-byte-sized IPIP payload.
Argh, in my previous commit in this file I forgot to fix the IPv6
entry point; apply the same fix there.
To generate a diff of this commit:
cvs rdiff -u -r1.43.2.2 -r1.43.2.3 src/sys/netipsec/ipsec_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.43.2.2 src/sys/netipsec/ipsec_input.c:1.43.2.3
--- src/sys/netipsec/ipsec_input.c:1.43.2.2 Mon Feb 5 14:55:16 2018
+++ src/sys/netipsec/ipsec_input.c Tue Mar 6 09:21:35 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.43.2.2 2018/02/05 14:55:16 martin Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.43.2.3 2018/03/06 09:21:35 martin Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.43.2.2 2018/02/05 14:55:16 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.43.2.3 2018/03/06 09:21:35 martin Exp $");
/*
* IPsec input processing.
@@ -384,14 +384,15 @@ cantpull:
prot = ip->ip_p;
+#ifdef notyet
/* IP-in-IP encapsulation */
if (prot == IPPROTO_IPIP) {
struct ip ipn;
/* ipn will now contain the inner IPv4 header */
+ /* XXX: check m_pkthdr.len */
m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), );
-#ifdef notyet
/* XXX PROXY address isn't recorded in SAH */
/*
* Check that the inner source address is the same as
@@ -420,7 +421,6 @@ cantpull:
error = EACCES;
goto bad;
}
-#endif /*XXX*/
}
#if INET6
/* IPv6-in-IP encapsulation. */
@@ -428,9 +428,9 @@ cantpull:
struct ip6_hdr ip6n;
/* ip6n will now contain the inner IPv6 header. */
+ /* XXX: check m_pkthdr.len */
m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), );
-#ifdef notyet
/*
* Check that the inner source address is the same as
* the proxy address, if available.
@@ -458,9 +458,9 @@ cantpull:
error = EACCES;
goto bad;
}
-#endif /*XXX*/
}
#endif /* INET6 */
+#endif /* notyet */
key_sa_recordxfer(sav, m); /* record data transfer */
@@ -587,15 +587,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
/* Save protocol */
m_copydata(m, protoff, 1, );
+#ifdef notyet
#ifdef INET
/* IP-in-IP encapsulation */
if (prot == IPPROTO_IPIP) {
struct ip ipn;
/* ipn will now contain the inner IPv4 header */
+ /* XXX: check m_pkthdr.len */
m_copydata(m, skip, sizeof(struct ip), );
-#ifdef notyet
/*
* Check that the inner source address is the same as
* the proxy address, if available.
@@ -621,18 +622,16 @@ ipsec6_common_input_cb(struct mbuf *m, s
error = EACCES;
goto bad;
}
-#endif /*XXX*/
}
#endif /* INET */
-
/* IPv6-in-IP encapsulation */
if (prot == IPPROTO_IPV6) {
struct ip6_hdr ip6n;
/* ip6n will now contain the inner IPv6 header. */
+ /* XXX: check m_pkthdr.len */
m_copydata(m, skip, sizeof(struct ip6_hdr), );
-#ifdef notyet
/*
* Check that the inner source address is the same as
* the proxy address, if available.
@@ -659,8 +658,8 @@ ipsec6_common_input_cb(struct mbuf *m, s
error = EACCES;
goto bad;
}
-#endif /*XXX*/
}
+#endif /* notyet */
key_sa_recordxfer(sav, m);
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Tue Mar 6 09:21:35 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec_input.c Log Message: Pull up following revision(s) (requested by maxv): sys/netipsec/ipsec_input.c: revision 1.57 sys/netipsec/ipsec_input.c: revision 1.58 Extend these #ifdef notyet. The m_copydata's in these branches are wrong, we are not guaranteed to have enough room for another struct ip, and we may crash here. Triggerable remotely, but after authentication, by sending an AH packet that has a one-byte-sized IPIP payload. Argh, in my previous commit in this file I forgot to fix the IPv6 entry point; apply the same fix there. To generate a diff of this commit: cvs rdiff -u -r1.43.2.2 -r1.43.2.3 src/sys/netipsec/ipsec_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Mon Feb 26 18:42:50 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: xform_ah.c
Log Message:
Pull up rev 1.78 of sys/netipsec/xform_ah.c for real, requested by
ozaki-r in ticket #587 (and already claimed to be part of previous
commit)
To generate a diff of this commit:
cvs rdiff -u -r1.54.2.4 -r1.54.2.5 src/sys/netipsec/xform_ah.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.54.2.4 src/sys/netipsec/xform_ah.c:1.54.2.5
--- src/sys/netipsec/xform_ah.c:1.54.2.4 Mon Feb 26 13:10:52 2018
+++ src/sys/netipsec/xform_ah.c Mon Feb 26 18:42:49 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.54.2.4 2018/02/26 13:10:52 martin Exp $ */
+/* $NetBSD: xform_ah.c,v 1.54.2.5 2018/02/26 18:42:49 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.4 2018/02/26 13:10:52 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.5 2018/02/26 18:42:49 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -855,18 +855,6 @@ ah_input_cb(struct cryptop *crp)
IPSEC_ACQUIRE_GLOBAL_LOCKS();
sav = tc->tc_sav;
- if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
- KEY_SA_UNREF();
- sav = KEY_LOOKUP_SA(>tc_dst, tc->tc_proto, tc->tc_spi,
- sport, dport);
- if (sav == NULL) {
- AH_STATINC(AH_STAT_NOTDB);
- DPRINTF(("%s: SA expired while in crypto\n", __func__));
- error = ENOBUFS; /*XXX*/
- goto bad;
- }
- }
-
saidx = >sah->saidx;
KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
saidx->dst.sa.sa_family == AF_INET6,
@@ -1274,24 +1262,6 @@ ah_output_cb(struct cryptop *crp)
isr = tc->tc_isr;
sav = tc->tc_sav;
- if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD)) {
- AH_STATINC(AH_STAT_NOTDB);
- IPSECLOG(LOG_DEBUG,
- "SP is being destroyed while in crypto (id=%u)\n",
- isr->sp->id);
- error = ENOENT;
- goto bad;
- }
- if (__predict_false(!SADB_SASTATE_USABLE_P(sav))) {
- KEY_SA_UNREF();
- sav = KEY_LOOKUP_SA(>tc_dst, tc->tc_proto, tc->tc_spi, 0, 0);
- if (sav == NULL) {
- AH_STATINC(AH_STAT_NOTDB);
- DPRINTF(("%s: SA expired while in crypto\n", __func__));
- error = ENOBUFS; /*XXX*/
- goto bad;
- }
- }
/* Check for crypto errors. */
if (crp->crp_etype) {
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Mon Feb 26 18:42:50 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_ah.c Log Message: Pull up rev 1.78 of sys/netipsec/xform_ah.c for real, requested by ozaki-r in ticket #587 (and already claimed to be part of previous commit) To generate a diff of this commit: cvs rdiff -u -r1.54.2.4 -r1.54.2.5 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Mon Feb 26 13:10:52 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: xform_ah.c xform_esp.c xform_ipcomp.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #587):
sys/netipsec/xform_ipcomp.c: revision 1.54-1.56
sys/netipsec/xform_ah.c: revision 1.78,1.79(patch),1.82-1.84
sys/netipsec/xform_esp.c: revision 1.74-1.76
Fix mbuf leaks on error paths
Dedup common codes in error paths (NFCI)
Don't relook up an SP/SA in opencrpyto callbacks
We don't need to do so because we have a reference to it. And also
relooking-up one there may return an sp/sav that has different
parameters from an original one.
Fix kernel panic (assertion failure) on receiving an IPv6 packet with large
options
If an IPv6 packet has large options, a necessary space for evacuation can
exceed the expected size (ah_pool_item_size). Give up using the pool_cache
if it happens.
Style.
Commonalize error paths (NFC)
Fix buffer overflow on sending an IPv6 packet with large options
If an IPv6 packet has large options, a necessary space for evacuation can
exceed the expected size (ah_pool_item_size). Give up using the pool_cache
if it happens.
Pointed out by maxv@
To generate a diff of this commit:
cvs rdiff -u -r1.54.2.3 -r1.54.2.4 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.55.2.1 -r1.55.2.2 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.38.2.1 -r1.38.2.2 src/sys/netipsec/xform_ipcomp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.54.2.3 src/sys/netipsec/xform_ah.c:1.54.2.4
--- src/sys/netipsec/xform_ah.c:1.54.2.3 Thu Feb 15 07:58:04 2018
+++ src/sys/netipsec/xform_ah.c Mon Feb 26 13:10:52 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $ */
+/* $NetBSD: xform_ah.c,v 1.54.2.4 2018/02/26 13:10:52 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.4 2018/02/26 13:10:52 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -55,6 +55,7 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v
#include
#include
#include
+#include
#include
@@ -100,8 +101,8 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v
percpu_t *ahstat_percpu;
-int ah_enable = 1; /* control flow of packets with AH */
-int ip4_ah_cleartos = 1; /* clear ip_tos when doing AH calc */
+int ah_enable = 1; /* control flow of packets with AH */
+int ip4_ah_cleartos = 1; /* clear ip_tos when doing AH calc */
#ifdef __FreeBSD__
SYSCTL_DECL(_net_inet_ah);
@@ -111,7 +112,6 @@ SYSCTL_INT(_net_inet_ah, OID_AUTO,
ah_cleartos, CTLFLAG_RW, _ah_cleartos, 0, "");
SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS,
stats, CTLFLAG_RD, , ahstat, "");
-
#endif /* __FreeBSD__ */
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
@@ -277,17 +277,15 @@ ah_massage_headers(struct mbuf **m0, int
struct mbuf *m = *m0;
unsigned char *ptr;
int off, count;
-
#ifdef INET
struct ip *ip;
-#endif /* INET */
-
+#endif
#ifdef INET6
struct ip6_ext *ip6e;
struct ip6_hdr ip6;
struct ip6_rthdr *rh;
int alloc, ad, nxt;
-#endif /* INET6 */
+#endif
switch (proto) {
#ifdef INET
@@ -428,7 +426,6 @@ ah_massage_headers(struct mbuf **m0, int
if (off > skip) {
DPRINTF(("%s: malformed IPv4 options header\n",
__func__));
-
m_freem(m);
return EINVAL;
}
@@ -629,6 +626,7 @@ ah_input(struct mbuf *m, struct secasvar
struct cryptodesc *crda;
struct cryptop *crp = NULL;
uint8_t nxt;
+ bool pool_used;
IPSEC_SPLASSERT_SOFTNET(__func__);
@@ -715,9 +713,14 @@ ah_input(struct mbuf *m, struct secasvar
size_t extra = skip + rplen + authsize;
size += extra;
- KASSERTMSG(size <= ah_pool_item_size,
- "size=%zu > ah_pool_item_size=%zu\n", size, ah_pool_item_size);
- tc = pool_cache_get(ah_tdb_crypto_pool_cache, PR_NOWAIT);
+ if (__predict_true(size <= ah_pool_item_size)) {
+ tc = pool_cache_get(ah_tdb_crypto_pool_cache, PR_NOWAIT);
+ pool_used = true;
+ } else {
+ /* size can exceed on IPv6 packets with large options. */
+ tc = kmem_intr_zalloc(size, KM_NOSLEEP);
+ pool_used = false;
+ }
if (tc == NULL) {
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
stat = AH_STAT_CRYPTO;
@@ -789,8 +792,12 @@ ah_input(struct mbuf *m, struct secasvar
return crypto_dispatch(crp);
bad:
- if (tc != NULL)
- pool_cache_put(ah_tdb_crypto_pool_cache, tc);
+ if (tc != NULL) {
+ if (__predict_true(pool_used))
+ pool_cache_put(ah_tdb_crypto_pool_cache, tc);
+ else
+ kmem_intr_free(tc, size);
+ }
if (crp !=
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Mon Feb 26 13:10:52 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_ah.c xform_esp.c xform_ipcomp.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #587): sys/netipsec/xform_ipcomp.c: revision 1.54-1.56 sys/netipsec/xform_ah.c: revision 1.78,1.79(patch),1.82-1.84 sys/netipsec/xform_esp.c: revision 1.74-1.76 Fix mbuf leaks on error paths Dedup common codes in error paths (NFCI) Don't relook up an SP/SA in opencrpyto callbacks We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one. Fix kernel panic (assertion failure) on receiving an IPv6 packet with large options If an IPv6 packet has large options, a necessary space for evacuation can exceed the expected size (ah_pool_item_size). Give up using the pool_cache if it happens. Style. Commonalize error paths (NFC) Fix buffer overflow on sending an IPv6 packet with large options If an IPv6 packet has large options, a necessary space for evacuation can exceed the expected size (ah_pool_item_size). Give up using the pool_cache if it happens. Pointed out by maxv@ To generate a diff of this commit: cvs rdiff -u -r1.54.2.3 -r1.54.2.4 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.55.2.1 -r1.55.2.2 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.38.2.1 -r1.38.2.2 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Feb 16 16:35:18 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #559): sys/netipsec/ipsec.c: revision 1.130 Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte AH packet. Triggerable before authentication when IPsec and forwarding are both enabled. To generate a diff of this commit: cvs rdiff -u -r1.99.2.3 -r1.99.2.4 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.99.2.3 src/sys/netipsec/ipsec.c:1.99.2.4 --- src/sys/netipsec/ipsec.c:1.99.2.3 Mon Feb 5 14:55:16 2018 +++ src/sys/netipsec/ipsec.c Fri Feb 16 16:35:18 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.99.2.3 2018/02/05 14:55:16 martin Exp $ */ +/* $NetBSD: ipsec.c,v 1.99.2.4 2018/02/16 16:35:18 martin Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.99.2.3 2018/02/05 14:55:16 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.99.2.4 2018/02/16 16:35:18 martin Exp $"); /* * IPsec controller part. @@ -1060,7 +1060,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se spidx->dst.sin.sin_port = uh.uh_dport; return; case IPPROTO_AH: - if (m->m_pkthdr.len > off + sizeof(ip6e)) + if (off + sizeof(ip6e) > m->m_pkthdr.len) goto done; /* XXX sigh, this works but is totally bogus */ m_copydata(m, off, sizeof(ip6e), );
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Feb 16 16:35:18 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: ipsec.c Log Message: Pull up following revision(s) (requested by maxv in ticket #559): sys/netipsec/ipsec.c: revision 1.130 Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte AH packet. Triggerable before authentication when IPsec and forwarding are both enabled. To generate a diff of this commit: cvs rdiff -u -r1.99.2.3 -r1.99.2.4 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 14:28:38 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_ipip.c Log Message: Pull up following revision(s) (requested by maxv in ticket #551): sys/netipsec/xform_ipip.c: revision 1.56-1.63 Fix use-after-free. There is a path where the mbuf gets pulled up without a proper mtod afterwards: 218 ipo = mtod(m, struct ip *); 281 m = m_pullup(m, hlen); 232 ipo->ip_src.s_addr Found by Mootja. Meanwhile it seems to me that 'ipo' should be set to NULL if the inner packet is IPv6, but I'll revisit that later. As I said in my last commit in this file, ipo should be set to NULL; otherwise the 'local address spoofing' check below is always wrong on IPv6. Style and remove dead code. dedup Fix the IPIP_STAT_IBYTES stats; we did m_adj(m, iphlen) which substracted iphlen, so no need to re-substract it again. Remove broken MROUTING code, rename ipo->ip4, and simplify. To generate a diff of this commit: cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Thu Feb 15 14:28:38 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: xform_ipip.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #551):
sys/netipsec/xform_ipip.c: revision 1.56-1.63
Fix use-after-free. There is a path where the mbuf gets pulled up without
a proper mtod afterwards:
218 ipo = mtod(m, struct ip *);
281 m = m_pullup(m, hlen);
232 ipo->ip_src.s_addr
Found by Mootja.
Meanwhile it seems to me that 'ipo' should be set to NULL if the inner
packet is IPv6, but I'll revisit that later.
As I said in my last commit in this file, ipo should be set to NULL;
otherwise the 'local address spoofing' check below is always wrong on
IPv6.
Style and remove dead code.
dedup
Fix the IPIP_STAT_IBYTES stats; we did m_adj(m, iphlen) which substracted
iphlen, so no need to re-substract it again.
Remove broken MROUTING code, rename ipo->ip4, and simplify.
To generate a diff of this commit:
cvs rdiff -u -r1.49.2.2 -r1.49.2.3 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.49.2.2 src/sys/netipsec/xform_ipip.c:1.49.2.3
--- src/sys/netipsec/xform_ipip.c:1.49.2.2 Sun Dec 10 09:41:32 2017
+++ src/sys/netipsec/xform_ipip.c Thu Feb 15 14:28:38 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipip.c,v 1.49.2.2 2017/12/10 09:41:32 snj Exp $ */
+/* $NetBSD: xform_ipip.c,v 1.49.2.3 2018/02/15 14:28:38 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.49.2.2 2017/12/10 09:41:32 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.49.2.3 2018/02/15 14:28:38 martin Exp $");
/*
* IP-inside-IP processing
@@ -74,10 +74,6 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c
#include
-#ifdef MROUTING
-#include
-#endif
-
#ifdef INET6
#include
#include
@@ -88,84 +84,41 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c
#include
#include
-typedef void pr_in_input_t (struct mbuf *m, ...);
+/* XXX IPCOMP */
+#define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
-/*
- * We can control the acceptance of IP4 packets by altering the sysctl
- * net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
- */
-int ipip_allow = 0;
+typedef void pr_in_input_t(struct mbuf *m, ...);
+int ipip_allow = 0;
percpu_t *ipipstat_percpu;
-#ifdef SYSCTL_DECL
-SYSCTL_DECL(_net_inet_ipip);
-
-SYSCTL_INT(_net_inet_ipip, OID_AUTO,
- ipip_allow, CTLFLAG_RW, _allow, 0, "");
-SYSCTL_STRUCT(_net_inet_ipip, IPSECCTL_STATS,
- stats, CTLFLAG_RD, , ipipstat, "");
-
-#endif
-
void ipe4_attach(void);
-
-/* XXX IPCOMP */
-#define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
-
static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp);
#ifdef INET6
-/*
- * Really only a wrapper for ipip_input(), for use with IPv6.
- */
int
ip4_input6(struct mbuf **m, int *offp, int proto, void *eparg __unused)
{
-#if 0
- /* If we do not accept IP-in-IP explicitly, drop. */
- if (!ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) {
- DPRINTF(("%s: dropped due to policy\n", __func__));
- IPIP_STATINC(IPIP_STAT_PDROPS);
- m_freem(*m);
- return IPPROTO_DONE;
- }
-#endif
_ipip_input(*m, *offp, NULL);
return IPPROTO_DONE;
}
-#endif /* INET6 */
+#endif
#ifdef INET
-/*
- * Really only a wrapper for ipip_input(), for use with IPv4.
- */
void
ip4_input(struct mbuf *m, int off, int proto, void *eparg __unused)
{
-
-#if 0
- /* If we do not accept IP-in-IP explicitly, drop. */
- if (!ipip_allow && (m->m_flags & M_IPSEC) == 0) {
- DPRINTF(("%s: dropped due to policy\n", __func__));
- IPIP_STATINC(IPIP_STAT_PDROPS);
- m_freem(m);
- return;
- }
-#endif
-
_ipip_input(m, off, NULL);
}
-#endif /* INET */
+#endif
/*
* ipip_input gets called when we receive an IP{46} encapsulated packet,
* either because we got it at a real interface, or because AH or ESP
* were being used in tunnel mode (in which case the rcvif element will
- * contain the address of the encX interface associated with the tunnel.
+ * contain the address of the encX interface associated with the tunnel).
*/
-
static void
_ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
{
@@ -173,7 +126,7 @@ _ipip_input(struct mbuf *m, int iphlen,
register struct ifnet *ifp;
register struct ifaddr *ifa;
pktqueue_t *pktq = NULL;
- struct ip *ipo;
+ struct ip *ip4 = NULL;
#ifdef INET6
register struct sockaddr_in6 *sin6;
struct ip6_hdr *ip6 = NULL;
@@ -189,21 +142,21 @@ _ipip_input(struct mbuf *m, int iphlen,
switch (v >> 4) {
#ifdef INET
-case 4:
+ case 4:
hlen = sizeof(struct ip);
break;
-#endif /* INET */
+#endif
#ifdef INET6
-
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Thu Feb 15 07:58:04 UTC 2018
Modified Files:
src/sys/netipsec [netbsd-8]: xform_ah.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #549):
sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch
Fix use-after-free, 'ah' may not be valid after m_makewritable and
ah_massage_headers.
Make sure the Authentication Header fits the mbuf chain, otherwise panic.
To generate a diff of this commit:
cvs rdiff -u -r1.54.2.2 -r1.54.2.3 src/sys/netipsec/xform_ah.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.54.2.2 src/sys/netipsec/xform_ah.c:1.54.2.3
--- src/sys/netipsec/xform_ah.c:1.54.2.2 Fri Jan 26 19:51:19 2018
+++ src/sys/netipsec/xform_ah.c Thu Feb 15 07:58:04 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $ */
+/* $NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -628,6 +628,7 @@ ah_input(struct mbuf *m, struct secasvar
int hl, rplen, authsize, error, stat = AH_STAT_HDROPS;
struct cryptodesc *crda;
struct cryptop *crp = NULL;
+ uint8_t nxt;
IPSEC_SPLASSERT_SOFTNET(__func__);
@@ -647,6 +648,8 @@ ah_input(struct mbuf *m, struct secasvar
goto bad;
}
+ nxt = ah->ah_nxt;
+
/* Check replay window, if applicable. */
if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
char buf[IPSEC_LOGSASTRLEN];
@@ -672,6 +675,18 @@ ah_input(struct mbuf *m, struct secasvar
error = EACCES;
goto bad;
}
+ if (skip + authsize + rplen > m->m_pkthdr.len) {
+ char buf[IPSEC_ADDRSTRLEN];
+ DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
+ " for packet in SA %s/%08lx\n", __func__,
+ m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
+ ipsec_address(>sah->saidx.dst, buf, sizeof(buf)),
+ (u_long) ntohl(sav->spi)));
+ stat = AH_STAT_BADAUTHL;
+ error = EACCES;
+ goto bad;
+ }
+
AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
/* Get crypto descriptors. */
@@ -761,7 +776,7 @@ ah_input(struct mbuf *m, struct secasvar
tc->tc_spi = sav->spi;
tc->tc_dst = sav->sah->saidx.dst;
tc->tc_proto = sav->sah->saidx.proto;
- tc->tc_nxt = ah->ah_nxt;
+ tc->tc_nxt = nxt;
tc->tc_protoff = protoff;
tc->tc_skip = skip;
tc->tc_sav = sav;
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Feb 15 07:58:04 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #549): sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch Fix use-after-free, 'ah' may not be valid after m_makewritable and ah_massage_headers. Make sure the Authentication Header fits the mbuf chain, otherwise panic. To generate a diff of this commit: cvs rdiff -u -r1.54.2.2 -r1.54.2.3 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Jan 26 19:51:19 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #512): sys/netipsec/xform_ah.c: revision 1.75 sys/netipsec/xform_ah.c: revision 1.76 Revert a part of rev1.49 (six months ago). The pointer given to memcpy was correct. Discussed with Christos and Ryota. Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely crash the kernel with a single packet. In this loop we need to increment 'ad' by two, because the length field of the option header does not count the size of the option header itself. If the length is zero, then 'count' is incremented by zero, and there's an infinite loop. Beyond that, this code was written with the assumption that since the IPv6 packet already went through the generic IPv6 option parser, several fields are guaranteed to be valid; but this assumption does not hold because of the missing '+2', and there's as a result a triggerable buffer overflow (write zeros after the end of the mbuf, potentially to the next mbuf in memory since it's a pool). Add the missing '+2', this place will be reinforced in separate commits. To generate a diff of this commit: cvs rdiff -u -r1.54.2.1 -r1.54.2.2 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Jan 26 19:51:19 UTC 2018 Modified Files: src/sys/netipsec [netbsd-8]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #512): sys/netipsec/xform_ah.c: revision 1.75 sys/netipsec/xform_ah.c: revision 1.76 Revert a part of rev1.49 (six months ago). The pointer given to memcpy was correct. Discussed with Christos and Ryota. Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely crash the kernel with a single packet. In this loop we need to increment 'ad' by two, because the length field of the option header does not count the size of the option header itself. If the length is zero, then 'count' is incremented by zero, and there's an infinite loop. Beyond that, this code was written with the assumption that since the IPv6 packet already went through the generic IPv6 option parser, several fields are guaranteed to be valid; but this assumption does not hold because of the missing '+2', and there's as a result a triggerable buffer overflow (write zeros after the end of the mbuf, potentially to the next mbuf in memory since it's a pool). Add the missing '+2', this place will be reinforced in separate commits. To generate a diff of this commit: cvs rdiff -u -r1.54.2.1 -r1.54.2.2 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.54.2.1 src/sys/netipsec/xform_ah.c:1.54.2.2 --- src/sys/netipsec/xform_ah.c:1.54.2.1 Sat Oct 21 19:43:54 2017 +++ src/sys/netipsec/xform_ah.c Fri Jan 26 19:51:19 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.54.2.1 2017/10/21 19:43:54 snj Exp $ */ +/* $NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.1 2017/10/21 19:43:54 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -419,7 +419,7 @@ ah_massage_headers(struct mbuf **m0, int /* Zeroize all other options. */ count = ptr[off + 1]; -memcpy(ptr, ipseczeroes, count); +memcpy(ptr + off, ipseczeroes, count); off += count; break; } @@ -523,12 +523,12 @@ ah_massage_headers(struct mbuf **m0, int return EINVAL; } - ad = ptr[count + 1]; + ad = ptr[count + 1] + 2; /* If mutable option, zeroize. */ if (ptr[count] & IP6OPT_MUTABLE) memcpy(ptr + count, ipseczeroes, - ptr[count + 1]); + ad); count += ad;
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Fri Dec 1 09:21:15 UTC 2017 Modified Files: src/sys/netipsec [netbsd-8]: key.c Log Message: Pull up following revision(s) (requested by christos in ticket #415): sys/netipsec/key.c: revision 1.244 sys/netipsec/key.c: revision 1.245 Use KDASSERT for mutex_ownable Because mutex_ownable is not cheap. Fix a deadlock happening if !NET_MPSAFE If NET_MPSAFE isn't set, key_timehandler_work is executed with holding softnet_lock. This means that localcount_drain can be called with holding softnet_lock resulting in a deadlock that localcount_drain waits for packet processing to release a reference to SP/SA while network processing is prevented by softnet_lock. Fix the deadlock by not taking softnet_lock in key_timehandler_work. It's okay because IPsec is MP-safe even if !NET_MPSAFE. Note that the change also needs to enable pserialize_perform because the IPsec code can be run in parallel now. Reported by christos@ To generate a diff of this commit: cvs rdiff -u -r1.163.2.4 -r1.163.2.5 src/sys/netipsec/key.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Fri Dec 1 09:21:15 UTC 2017
Modified Files:
src/sys/netipsec [netbsd-8]: key.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #415):
sys/netipsec/key.c: revision 1.244
sys/netipsec/key.c: revision 1.245
Use KDASSERT for mutex_ownable
Because mutex_ownable is not cheap.
Fix a deadlock happening if !NET_MPSAFE
If NET_MPSAFE isn't set, key_timehandler_work is executed with holding
softnet_lock. This means that localcount_drain can be called with holding
softnet_lock resulting in a deadlock that localcount_drain waits for packet
processing to release a reference to SP/SA while network processing is prevented
by softnet_lock.
Fix the deadlock by not taking softnet_lock in key_timehandler_work. It's okay
because IPsec is MP-safe even if !NET_MPSAFE. Note that the change also needs
to enable pserialize_perform because the IPsec code can be run in parallel now.
Reported by christos@
To generate a diff of this commit:
cvs rdiff -u -r1.163.2.4 -r1.163.2.5 src/sys/netipsec/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.4 src/sys/netipsec/key.c:1.163.2.5
--- src/sys/netipsec/key.c:1.163.2.4 Thu Nov 30 15:57:37 2017
+++ src/sys/netipsec/key.c Fri Dec 1 09:21:15 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.163.2.4 2017/11/30 15:57:37 martin Exp $ */
+/* $NetBSD: key.c,v 1.163.2.5 2017/12/01 09:21:15 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.4 2017/11/30 15:57:37 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.5 2017/12/01 09:21:15 martin Exp $");
/*
* This code is referred to RFC 2367
@@ -800,7 +800,6 @@ key_sp_refcnt(const struct secpolicy *sp
return 0;
}
-#ifdef NET_MPSAFE
static void
key_spd_pserialize_perform(void)
{
@@ -818,7 +817,6 @@ key_spd_pserialize_perform(void)
key_spd.psz_performing = false;
cv_broadcast(_spd.cv_psz);
}
-#endif
/*
* Remove the sp from the key_spd.splist and wait for references to the sp
@@ -836,10 +834,8 @@ key_unlink_sp(struct secpolicy *sp)
/* Invalidate all cached SPD pointers in the PCBs. */
ipsec_invalpcbcacheall();
-#ifdef NET_MPSAFE
- KASSERT(mutex_ownable(softnet_lock));
+ KDASSERT(mutex_ownable(softnet_lock));
key_spd_pserialize_perform();
-#endif
localcount_drain(>localcount, _spd.cv_lc, _spd.lock);
}
@@ -1493,7 +1489,6 @@ key_freesp_so(struct secpolicy **sp)
}
#endif
-#ifdef NET_MPSAFE
static void
key_sad_pserialize_perform(void)
{
@@ -1511,7 +1506,6 @@ key_sad_pserialize_perform(void)
key_sad.psz_performing = false;
cv_broadcast(_sad.cv_psz);
}
-#endif
/*
* Remove the sav from the savlist of its sah and wait for references to the sav
@@ -1525,10 +1519,8 @@ key_unlink_sav(struct secasvar *sav)
SAVLIST_WRITER_REMOVE(sav);
-#ifdef NET_MPSAFE
- KASSERT(mutex_ownable(softnet_lock));
+ KDASSERT(mutex_ownable(softnet_lock));
key_sad_pserialize_perform();
-#endif
localcount_drain(>localcount, _sad.cv_lc, _sad.lock);
}
@@ -1567,10 +1559,8 @@ key_destroy_sav_with_ref(struct secasvar
KEY_SA_UNREF();
mutex_enter(_sad.lock);
-#ifdef NET_MPSAFE
- KASSERT(mutex_ownable(softnet_lock));
+ KDASSERT(mutex_ownable(softnet_lock));
key_sad_pserialize_perform();
-#endif
localcount_drain(>localcount, _sad.cv_lc, _sad.lock);
mutex_exit(_sad.lock);
@@ -3048,10 +3038,8 @@ key_unlink_sah(struct secashead *sah)
/* Remove from the sah list */
SAHLIST_WRITER_REMOVE(sah);
-#ifdef NET_MPSAFE
- KASSERT(mutex_ownable(softnet_lock));
+ KDASSERT(mutex_ownable(softnet_lock));
key_sad_pserialize_perform();
-#endif
localcount_drain(>localcount, _sad.cv_lc, _sad.lock);
}
@@ -4862,13 +4850,10 @@ static void
key_timehandler_work(struct work *wk, void *arg)
{
time_t now = time_uptime;
- IPSEC_DECLARE_LOCK_VARIABLE;
/* We can allow enqueuing another work at this point */
atomic_swap_uint(_timehandler_work_enqueued, 0);
- IPSEC_ACQUIRE_GLOBAL_LOCKS();
-
key_timehandler_spd(now);
key_timehandler_sad(now);
key_timehandler_acq(now);
@@ -4879,7 +4864,6 @@ key_timehandler_work(struct work *wk, vo
/* do exchange to tick time !! */
callout_reset(_timehandler_ch, hz, key_timehandler, NULL);
- IPSEC_RELEASE_GLOBAL_LOCKS();
return;
}
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src
Committed By: martin
Date: Thu Nov 30 14:57:34 UTC 2017
Modified Files:
src/sys/netipsec [netbsd-8]: ipsec.c key.c key.h
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #406):
sys/netipsec/key.c: revision 1.239
sys/netipsec/key.c: revision 1.240
sys/netipsec/key.c: revision 1.241
sys/netipsec/key.c: revision 1.242
sys/netipsec/key.h: revision 1.33
sys/netipsec/ipsec.c: revision 1.123
sys/netipsec/key.c: revision 1.236
sys/netipsec/key.c: revision 1.237
sys/netipsec/key.c: revision 1.238
Provide a function to call MGETHDR and MCLGET
The change fixes two usages of MGETHDR that don't check whether a mbuf is really
allocated before passing it to MCLGET.
Fix error handling of MCLGET in key_alloc_mbuf
Add missing splx to key_spdexpire
Use M_WAITOK to allocate mbufs wherever sleepable
Further changes will get rid of unnecessary NULL checks then.
Get rid of unnecessary NULL checks that are obsoleted by M_WAITOK
Simply the code by avoiding unnecessary error checks
- Remove unnecessary m_pullup for self-allocated mbufs
- Replace some if-fails-return sanity checks with KASSERT
Call key_sendup_mbuf immediately unless key_acquire is called in softint
We need to defer it only if it's called in softint to avoid deadlock.
To generate a diff of this commit:
cvs rdiff -u -r1.99.2.1 -r1.99.2.2 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.163.2.2 -r1.163.2.3 src/sys/netipsec/key.c
cvs rdiff -u -r1.19.2.1 -r1.19.2.2 src/sys/netipsec/key.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.99.2.1 src/sys/netipsec/ipsec.c:1.99.2.2
--- src/sys/netipsec/ipsec.c:1.99.2.1 Sat Oct 21 19:43:54 2017
+++ src/sys/netipsec/ipsec.c Thu Nov 30 14:57:34 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.99.2.1 2017/10/21 19:43:54 snj Exp $ */
+/* $NetBSD: ipsec.c,v 1.99.2.2 2017/11/30 14:57:34 martin Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.99.2.1 2017/10/21 19:43:54 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.99.2.2 2017/11/30 14:57:34 martin Exp $");
/*
* IPsec controller part.
@@ -1422,7 +1422,7 @@ ipsec_get_policy(struct secpolicy *polic
if (policy == NULL || mp == NULL)
return EINVAL;
- *mp = key_sp2msg(policy);
+ *mp = key_sp2msg(policy, M_NOWAIT);
if (!*mp) {
IPSECLOG(LOG_DEBUG, "No more memory.\n");
return ENOBUFS;
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.163.2.2 src/sys/netipsec/key.c:1.163.2.3
--- src/sys/netipsec/key.c:1.163.2.2 Tue Nov 21 11:11:20 2017
+++ src/sys/netipsec/key.c Thu Nov 30 14:57:34 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.163.2.2 2017/11/21 11:11:20 martin Exp $ */
+/* $NetBSD: key.c,v 1.163.2.3 2017/11/30 14:57:34 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.2 2017/11/21 11:11:20 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.163.2.3 2017/11/30 14:57:34 martin Exp $");
/*
* This code is referred to RFC 2367
@@ -601,23 +601,18 @@ key_msghdr_get_sockaddr(const struct sad
return PFKEY_ADDR_SADDR(mhp->ext[idx]);
}
-static struct mbuf *
+static void
key_fill_replymsg(struct mbuf *m, int seq)
{
struct sadb_msg *msg;
- if (m->m_len < sizeof(*msg)) {
- m = m_pullup(m, sizeof(*msg));
- if (m == NULL)
- return NULL;
- }
+ KASSERT(m->m_len >= sizeof(*msg));
+
msg = mtod(m, struct sadb_msg *);
msg->sadb_msg_errno = 0;
msg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
if (seq != 0)
msg->sadb_msg_seq = seq;
-
- return m;
}
#if 0
@@ -684,17 +679,17 @@ static struct mbuf *key_setsadbxfrag (u_
static void key_porttosaddr (union sockaddr_union *, u_int16_t);
static int key_checksalen (const union sockaddr_union *);
static struct mbuf *key_setsadbmsg (u_int8_t, u_int16_t, u_int8_t,
- u_int32_t, pid_t, u_int16_t);
+ u_int32_t, pid_t, u_int16_t, int);
static struct mbuf *key_setsadbsa (struct secasvar *);
-static struct mbuf *key_setsadbaddr (u_int16_t,
- const struct sockaddr *, u_int8_t, u_int16_t);
+static struct mbuf *key_setsadbaddr(u_int16_t,
+ const struct sockaddr *, u_int8_t, u_int16_t, int);
#if 0
static struct mbuf *key_setsadbident (u_int16_t, u_int16_t, void *,
int, u_int64_t);
#endif
static struct mbuf *key_setsadbxsa2 (u_int8_t, u_int32_t, u_int16_t);
static struct mbuf *key_setsadbxpolicy (u_int16_t, u_int8_t,
- u_int32_t);
+ u_int32_t, int);
static void *key_newbuf (const void *, u_int);
#ifdef INET6
static int
CVS commit: [netbsd-8] src/sys/netipsec
Module Name:src Committed By: martin Date: Thu Nov 30 14:57:34 UTC 2017 Modified Files: src/sys/netipsec [netbsd-8]: ipsec.c key.c key.h Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #406): sys/netipsec/key.c: revision 1.239 sys/netipsec/key.c: revision 1.240 sys/netipsec/key.c: revision 1.241 sys/netipsec/key.c: revision 1.242 sys/netipsec/key.h: revision 1.33 sys/netipsec/ipsec.c: revision 1.123 sys/netipsec/key.c: revision 1.236 sys/netipsec/key.c: revision 1.237 sys/netipsec/key.c: revision 1.238 Provide a function to call MGETHDR and MCLGET The change fixes two usages of MGETHDR that don't check whether a mbuf is really allocated before passing it to MCLGET. Fix error handling of MCLGET in key_alloc_mbuf Add missing splx to key_spdexpire Use M_WAITOK to allocate mbufs wherever sleepable Further changes will get rid of unnecessary NULL checks then. Get rid of unnecessary NULL checks that are obsoleted by M_WAITOK Simply the code by avoiding unnecessary error checks - Remove unnecessary m_pullup for self-allocated mbufs - Replace some if-fails-return sanity checks with KASSERT Call key_sendup_mbuf immediately unless key_acquire is called in softint We need to defer it only if it's called in softint to avoid deadlock. To generate a diff of this commit: cvs rdiff -u -r1.99.2.1 -r1.99.2.2 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.163.2.2 -r1.163.2.3 src/sys/netipsec/key.c cvs rdiff -u -r1.19.2.1 -r1.19.2.2 src/sys/netipsec/key.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
