CVS commit: [netbsd-5-0] src/sys/net
Module Name:src Committed By: bouyer Date: Sun Feb 5 12:35:10 UTC 2012 Modified Files: src/sys/net [netbsd-5-0]: route.c Log Message: Pull up following revision(s) (requested by christos in ticket #1721): sys/net/route.c: revision 1.126 Count length from the beginning of the structure not the sa_data portion. =46rom skrll@ To generate a diff of this commit: cvs rdiff -u -r1.113.4.1 -r1.113.4.1.2.1 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/route.c diff -u src/sys/net/route.c:1.113.4.1 src/sys/net/route.c:1.113.4.1.2.1 --- src/sys/net/route.c:1.113.4.1 Fri Apr 3 17:59:03 2009 +++ src/sys/net/route.c Sun Feb 5 12:35:10 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: route.c,v 1.113.4.1 2009/04/03 17:59:03 snj Exp $ */ +/* $NetBSD: route.c,v 1.113.4.1.2.1 2012/02/05 12:35:10 bouyer Exp $ */ /*- * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc. @@ -93,7 +93,7 @@ #include "opt_route.h" #include -__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.113.4.1 2009/04/03 17:59:03 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.113.4.1.2.1 2012/02/05 12:35:10 bouyer Exp $"); #include #include @@ -847,8 +847,8 @@ rt_maskedcopy(const struct sockaddr *src const char *netmaskp = &netmask->sa_data[0], *srcp = &src->sa_data[0]; char *dstp = &dst->sa_data[0]; - const char *maskend = dstp + MIN(netmask->sa_len, src->sa_len); - const char *srcend = dstp + src->sa_len; + const char *maskend = (char *)dst + MIN(netmask->sa_len, src->sa_len); + const char *srcend = (char *)dst + src->sa_len; dst->sa_len = src->sa_len; dst->sa_family = src->sa_family;
CVS commit: [netbsd-5-0] src/sys/net
Module Name:src Committed By: riz Date: Mon Aug 8 19:36:02 UTC 2011 Modified Files: src/sys/net [netbsd-5-0]: if.c Log Message: Pull up following revision(s) (requested by sborrill in ticket #1643): sys/net/if.c: revision 1.243 Prevent if_detach() from crashing while it walks the routing table to find and unlink routes that reference the detached ifnet: make if_rt_walktree() return ERESTART whenever it has deleted a route. Whenever rt_walktree() returns ERESTART, if_detach() restarts it. I believe that this fix resembles one by Jonathan Kollasch or by someone else, which has languished in a PR for too long. Sorry! Tested by me and by Jeff Rizzo. XXX It's supposed to be safe for rn_walktree() to apply to the routing XXX table a routine that may delete routes. Why isn't it safe in XXX practice? To generate a diff of this commit: cvs rdiff -u -r1.230.4.1 -r1.230.4.1.2.1 src/sys/net/if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if.c diff -u src/sys/net/if.c:1.230.4.1 src/sys/net/if.c:1.230.4.1.2.1 --- src/sys/net/if.c:1.230.4.1 Tue Feb 24 02:26:42 2009 +++ src/sys/net/if.c Mon Aug 8 19:36:02 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: if.c,v 1.230.4.1 2009/02/24 02:26:42 snj Exp $ */ +/* $NetBSD: if.c,v 1.230.4.1.2.1 2011/08/08 19:36:02 riz Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.230.4.1 2009/02/24 02:26:42 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.230.4.1.2.1 2011/08/08 19:36:02 riz Exp $"); #include "opt_inet.h" @@ -726,8 +726,10 @@ if_free_sadl(ifp); /* Walk the routing table looking for stragglers. */ - for (i = 0; i <= AF_MAX; i++) - (void)rt_walktree(i, if_rt_walktree, ifp); + for (i = 0; i <= AF_MAX; i++) { + while (rt_walktree(i, if_rt_walktree, ifp) == ERESTART) + ; + } DOMAIN_FOREACH(dp) { if (dp->dom_ifdetach != NULL && ifp->if_afdata[dp->dom_family]) @@ -838,7 +840,7 @@ if (error != 0) printf("%s: warning: unable to delete rtentry @ %p, " "error = %d\n", ifp->if_xname, rt, error); - return 0; + return ERESTART; } /*
CVS commit: [netbsd-5-0] src/sys/net
Module Name:src Committed By: bouyer Date: Tue Mar 22 20:02:36 UTC 2011 Modified Files: src/sys/net [netbsd-5-0]: bpf_filter.c Log Message: Pull up following revision(s) (requested by spz in ticket #1571): sys/net/bpf_filter.c: revision 1.36, 1.42 -> 1.46 via patch Avoid stack memory disclosure by keeping track during filter validation time of initialized memory. Idea taken from linux. Use __CTASSERT Use kmem instead of malloc. Requested by rmind. Fix userland build. delint. the correct check for BPF_K is with BPF_SRC for BPF_ALU ops, from Guy Harris per PR kern/43185 fixes possible division-by-zero crashes by evil filter expressions like "len / 0 = 1" pullup candidate To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.10.1 src/sys/net/bpf_filter.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/bpf_filter.c diff -u src/sys/net/bpf_filter.c:1.35 src/sys/net/bpf_filter.c:1.35.10.1 --- src/sys/net/bpf_filter.c:1.35 Wed Aug 20 13:01:54 2008 +++ src/sys/net/bpf_filter.c Tue Mar 22 20:02:36 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: bpf_filter.c,v 1.35 2008/08/20 13:01:54 joerg Exp $ */ +/* $NetBSD: bpf_filter.c,v 1.35.10.1 2011/03/22 20:02:36 bouyer Exp $ */ /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.35 2008/08/20 13:01:54 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.35.10.1 2011/03/22 20:02:36 bouyer Exp $"); #if 0 #if !(defined(lint) || defined(KERNEL)) @@ -48,6 +48,7 @@ #include #include +#include #include #define EXTRACT_SHORT(p) be16dec(p) @@ -147,8 +148,7 @@ A = 0; X = 0; --pc; - /* CONSTCOND */ - while (1) { + for (;;) { ++pc; switch (pc->code) { @@ -157,6 +157,7 @@ return 0; #else abort(); + /*NOTREACHED*/ #endif case BPF_RET|BPF_K: return (u_int)pc->k; @@ -461,16 +462,38 @@ * The kernel needs to be able to verify an application's filter code. * Otherwise, a bogus program could easily crash the system. */ +CTASSERT(BPF_MEMWORDS == sizeof(uint16_t) * NBBY); + int -bpf_validate(struct bpf_insn *f, int len) +bpf_validate(struct bpf_insn *f, int signed_len) { - u_int i, from; - struct bpf_insn *p; + u_int i, from, len, ok = 0; + const struct bpf_insn *p; +#if defined(KERNEL) || defined(_KERNEL) + uint16_t *mem, invalid; + size_t size; +#endif - if (len < 1 || len > BPF_MAXINSNS) + len = (u_int)signed_len; + if (len < 1) + return 0; +#if defined(KERNEL) || defined(_KERNEL) + if (len > BPF_MAXINSNS) + return 0; +#endif + if (BPF_CLASS(f[len - 1].code) != BPF_RET) return 0; +#if defined(KERNEL) || defined(_KERNEL) + mem = kmem_zalloc(size = sizeof(*mem) * len, KM_SLEEP); + invalid = ~0; /* All is invalid on startup */ +#endif + for (i = 0; i < len; ++i) { +#if defined(KERNEL) || defined(_KERNEL) + /* blend in any invalid bits for current pc */ + invalid |= mem[i]; +#endif p = &f[i]; switch (BPF_CLASS(p->code)) { /* @@ -480,8 +503,22 @@ case BPF_LDX: switch (BPF_MODE(p->code)) { case BPF_MEM: +/* + * There's no maximum packet data size + * in userland. The runtime packet length + * check suffices. + */ +#if defined(KERNEL) || defined(_KERNEL) +/* + * More strict check with actual packet length + * is done runtime. + */ if (p->k >= BPF_MEMWORDS) - return 0; + goto out; +/* check for current memory invalid */ +if (invalid & (1 << p->k)) + goto out; +#endif break; case BPF_ABS: case BPF_IND: @@ -490,13 +527,17 @@ case BPF_LEN: break; default: -return 0; +goto out; } break; case BPF_ST: case BPF_STX: if (p->k >= BPF_MEMWORDS) -return 0; +goto out; +#if defined(KERNEL) || defined(_KERNEL) + /* validate the memory word */ + invalid &= ~(1 << p->k); +#endif break; case BPF_ALU: switch (BPF_OP(p->code)) { @@ -513,11 +554,11 @@ /* * Check for constant division by 0. */ -if (BPF_RVAL(p->code) == BPF_K && p->k == 0) - return 0; +if (BPF_SRC(p->code) == BPF_K && p->k == 0) + goto out; break; default: -return 0; +goto out; } break; case BPF_JMP: @@ -540,18 +581,37 @@ from = i + 1; switch (BPF_OP(p->code)) { case BPF_JA: -if (from + p->k < from || from + p->k >= len) - return 0; +if (from + p->k >= len) + goto out; +#if defined(KERNEL) || defined(_KERNEL) +if (from + p->k < from) + goto out; +/* + * mark the currently invalid bits for the + * destination + */ +mem[from + p->k] |= invalid; +invalid = 0; +#endif break; case BPF_JEQ: case BPF_JGT: case BPF_JGE: case BPF_JSET: if (from + p->jt >= len || from + p->jf >= len) - return 0; + goto out; +#if defined(KERNEL) || defined(_KERNEL)
CVS commit: [netbsd-5-0] src/sys/net
Module Name:src Committed By: bouyer Date: Sun Jan 16 13:04:51 UTC 2011 Modified Files: src/sys/net [netbsd-5-0]: raw_usrreq.c Log Message: Pull up following revision(s) (requested by pooka in ticket #1529): sys/net/raw_usrreq.c: revision 1.36 Apply patch from PR kern/44369 by Wolfgang Stukenbrock. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.14.1 src/sys/net/raw_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/raw_usrreq.c diff -u src/sys/net/raw_usrreq.c:1.35 src/sys/net/raw_usrreq.c:1.35.14.1 --- src/sys/net/raw_usrreq.c:1.35 Thu May 29 17:26:56 2008 +++ src/sys/net/raw_usrreq.c Sun Jan 16 13:04:51 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_usrreq.c,v 1.35 2008/05/29 17:26:56 dyoung Exp $ */ +/* $NetBSD: raw_usrreq.c,v 1.35.14.1 2011/01/16 13:04:51 bouyer Exp $ */ /* * Copyright (c) 1980, 1986, 1993 @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: raw_usrreq.c,v 1.35 2008/05/29 17:26:56 dyoung Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_usrreq.c,v 1.35.14.1 2011/01/16 13:04:51 bouyer Exp $"); #include #include @@ -276,7 +276,8 @@ /* * stat: don't bother with a blocksize. */ - return (0); + error = 0; + break; /* * Not supported.