CVS commit: [netbsd-5-0] src/sys/net
Module Name:src Committed By: bouyer Date: Sun Feb 5 12:35:10 UTC 2012 Modified Files: src/sys/net [netbsd-5-0]: route.c Log Message: Pull up following revision(s) (requested by christos in ticket #1721): sys/net/route.c: revision 1.126 Count length from the beginning of the structure not the sa_data portion. =46rom skrll@ To generate a diff of this commit: cvs rdiff -u -r1.113.4.1 -r1.113.4.1.2.1 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/route.c diff -u src/sys/net/route.c:1.113.4.1 src/sys/net/route.c:1.113.4.1.2.1 --- src/sys/net/route.c:1.113.4.1 Fri Apr 3 17:59:03 2009 +++ src/sys/net/route.c Sun Feb 5 12:35:10 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: route.c,v 1.113.4.1 2009/04/03 17:59:03 snj Exp $ */ +/* $NetBSD: route.c,v 1.113.4.1.2.1 2012/02/05 12:35:10 bouyer Exp $ */ /*- * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc. @@ -93,7 +93,7 @@ #include opt_route.h #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: route.c,v 1.113.4.1 2009/04/03 17:59:03 snj Exp $); +__KERNEL_RCSID(0, $NetBSD: route.c,v 1.113.4.1.2.1 2012/02/05 12:35:10 bouyer Exp $); #include sys/param.h #include sys/sysctl.h @@ -847,8 +847,8 @@ rt_maskedcopy(const struct sockaddr *src const char *netmaskp = netmask-sa_data[0], *srcp = src-sa_data[0]; char *dstp = dst-sa_data[0]; - const char *maskend = dstp + MIN(netmask-sa_len, src-sa_len); - const char *srcend = dstp + src-sa_len; + const char *maskend = (char *)dst + MIN(netmask-sa_len, src-sa_len); + const char *srcend = (char *)dst + src-sa_len; dst-sa_len = src-sa_len; dst-sa_family = src-sa_family;
CVS commit: [netbsd-5-0] src/sys/net
Module Name:src
Committed By: riz
Date: Mon Aug 8 19:36:02 UTC 2011
Modified Files:
src/sys/net [netbsd-5-0]: if.c
Log Message:
Pull up following revision(s) (requested by sborrill in ticket #1643):
sys/net/if.c: revision 1.243
Prevent if_detach() from crashing while it walks the routing table
to find and unlink routes that reference the detached ifnet: make
if_rt_walktree() return ERESTART whenever it has deleted a route.
Whenever rt_walktree() returns ERESTART, if_detach() restarts it.
I believe that this fix resembles one by Jonathan Kollasch or by someone
else, which has languished in a PR for too long. Sorry!
Tested by me and by Jeff Rizzo.
XXX It's supposed to be safe for rn_walktree() to apply to the routing
XXX table a routine that may delete routes. Why isn't it safe in
XXX practice?
To generate a diff of this commit:
cvs rdiff -u -r1.230.4.1 -r1.230.4.1.2.1 src/sys/net/if.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if.c
diff -u src/sys/net/if.c:1.230.4.1 src/sys/net/if.c:1.230.4.1.2.1
--- src/sys/net/if.c:1.230.4.1 Tue Feb 24 02:26:42 2009
+++ src/sys/net/if.c Mon Aug 8 19:36:02 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: if.c,v 1.230.4.1 2009/02/24 02:26:42 snj Exp $ */
+/* $NetBSD: if.c,v 1.230.4.1.2.1 2011/08/08 19:36:02 riz Exp $ */
/*-
* Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: if.c,v 1.230.4.1 2009/02/24 02:26:42 snj Exp $);
+__KERNEL_RCSID(0, $NetBSD: if.c,v 1.230.4.1.2.1 2011/08/08 19:36:02 riz Exp $);
#include opt_inet.h
@@ -726,8 +726,10 @@
if_free_sadl(ifp);
/* Walk the routing table looking for stragglers. */
- for (i = 0; i = AF_MAX; i++)
- (void)rt_walktree(i, if_rt_walktree, ifp);
+ for (i = 0; i = AF_MAX; i++) {
+ while (rt_walktree(i, if_rt_walktree, ifp) == ERESTART)
+ ;
+ }
DOMAIN_FOREACH(dp) {
if (dp-dom_ifdetach != NULL ifp-if_afdata[dp-dom_family])
@@ -838,7 +840,7 @@
if (error != 0)
printf(%s: warning: unable to delete rtentry @ %p,
error = %d\n, ifp-if_xname, rt, error);
- return 0;
+ return ERESTART;
}
/*
CVS commit: [netbsd-5-0] src/sys/net
Module Name:src
Committed By: bouyer
Date: Tue Mar 22 20:02:36 UTC 2011
Modified Files:
src/sys/net [netbsd-5-0]: bpf_filter.c
Log Message:
Pull up following revision(s) (requested by spz in ticket #1571):
sys/net/bpf_filter.c: revision 1.36, 1.42 - 1.46 via patch
Avoid stack memory disclosure by keeping track during filter validation time
of initialized memory. Idea taken from linux.
Use __CTASSERT
Use kmem instead of malloc. Requested by rmind.
Fix userland build.
delint.
the correct check for BPF_K is with BPF_SRC for BPF_ALU ops, from
Guy Harris per PR kern/43185
fixes possible division-by-zero crashes by evil filter expressions
like len / 0 = 1
pullup candidate
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.35.10.1 src/sys/net/bpf_filter.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/bpf_filter.c
diff -u src/sys/net/bpf_filter.c:1.35 src/sys/net/bpf_filter.c:1.35.10.1
--- src/sys/net/bpf_filter.c:1.35 Wed Aug 20 13:01:54 2008
+++ src/sys/net/bpf_filter.c Tue Mar 22 20:02:36 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: bpf_filter.c,v 1.35 2008/08/20 13:01:54 joerg Exp $ */
+/* $NetBSD: bpf_filter.c,v 1.35.10.1 2011/03/22 20:02:36 bouyer Exp $ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -37,7 +37,7 @@
*/
#include sys/cdefs.h
-__KERNEL_RCSID(0, $NetBSD: bpf_filter.c,v 1.35 2008/08/20 13:01:54 joerg Exp $);
+__KERNEL_RCSID(0, $NetBSD: bpf_filter.c,v 1.35.10.1 2011/03/22 20:02:36 bouyer Exp $);
#if 0
#if !(defined(lint) || defined(KERNEL))
@@ -48,6 +48,7 @@
#include sys/param.h
#include sys/time.h
+#include sys/kmem.h
#include sys/endian.h
#define EXTRACT_SHORT(p) be16dec(p)
@@ -147,8 +148,7 @@
A = 0;
X = 0;
--pc;
- /* CONSTCOND */
- while (1) {
+ for (;;) {
++pc;
switch (pc-code) {
@@ -157,6 +157,7 @@
return 0;
#else
abort();
+ /*NOTREACHED*/
#endif
case BPF_RET|BPF_K:
return (u_int)pc-k;
@@ -461,16 +462,38 @@
* The kernel needs to be able to verify an application's filter code.
* Otherwise, a bogus program could easily crash the system.
*/
+CTASSERT(BPF_MEMWORDS == sizeof(uint16_t) * NBBY);
+
int
-bpf_validate(struct bpf_insn *f, int len)
+bpf_validate(struct bpf_insn *f, int signed_len)
{
- u_int i, from;
- struct bpf_insn *p;
+ u_int i, from, len, ok = 0;
+ const struct bpf_insn *p;
+#if defined(KERNEL) || defined(_KERNEL)
+ uint16_t *mem, invalid;
+ size_t size;
+#endif
- if (len 1 || len BPF_MAXINSNS)
+ len = (u_int)signed_len;
+ if (len 1)
+ return 0;
+#if defined(KERNEL) || defined(_KERNEL)
+ if (len BPF_MAXINSNS)
+ return 0;
+#endif
+ if (BPF_CLASS(f[len - 1].code) != BPF_RET)
return 0;
+#if defined(KERNEL) || defined(_KERNEL)
+ mem = kmem_zalloc(size = sizeof(*mem) * len, KM_SLEEP);
+ invalid = ~0; /* All is invalid on startup */
+#endif
+
for (i = 0; i len; ++i) {
+#if defined(KERNEL) || defined(_KERNEL)
+ /* blend in any invalid bits for current pc */
+ invalid |= mem[i];
+#endif
p = f[i];
switch (BPF_CLASS(p-code)) {
/*
@@ -480,8 +503,22 @@
case BPF_LDX:
switch (BPF_MODE(p-code)) {
case BPF_MEM:
+/*
+ * There's no maximum packet data size
+ * in userland. The runtime packet length
+ * check suffices.
+ */
+#if defined(KERNEL) || defined(_KERNEL)
+/*
+ * More strict check with actual packet length
+ * is done runtime.
+ */
if (p-k = BPF_MEMWORDS)
- return 0;
+ goto out;
+/* check for current memory invalid */
+if (invalid (1 p-k))
+ goto out;
+#endif
break;
case BPF_ABS:
case BPF_IND:
@@ -490,13 +527,17 @@
case BPF_LEN:
break;
default:
-return 0;
+goto out;
}
break;
case BPF_ST:
case BPF_STX:
if (p-k = BPF_MEMWORDS)
-return 0;
+goto out;
+#if defined(KERNEL) || defined(_KERNEL)
+ /* validate the memory word */
+ invalid = ~(1 p-k);
+#endif
break;
case BPF_ALU:
switch (BPF_OP(p-code)) {
@@ -513,11 +554,11 @@
/*
* Check for constant division by 0.
*/
-if (BPF_RVAL(p-code) == BPF_K p-k == 0)
- return 0;
+if (BPF_SRC(p-code) == BPF_K p-k == 0)
+ goto out;
break;
default:
-return 0;
+goto out;
}
break;
case BPF_JMP:
@@ -540,18 +581,37 @@
from = i + 1;
switch (BPF_OP(p-code)) {
case BPF_JA:
-if (from + p-k from || from + p-k = len)
- return 0;
+if (from + p-k = len)
+ goto out;
+#if defined(KERNEL) || defined(_KERNEL)
+if (from + p-k from)
+ goto out;
+/*
+ * mark the currently invalid bits for the
+ * destination
+ */
+mem[from + p-k] |= invalid;
+invalid = 0;
+#endif
break;
case BPF_JEQ:
case BPF_JGT:
case BPF_JGE:
case BPF_JSET:
if (from + p-jt = len || from + p-jf = len)
- return 0;
+ goto out;
+#if defined(KERNEL) ||
CVS commit: [netbsd-5-0] src/sys/net
Module Name:src Committed By: bouyer Date: Sun Jan 16 13:04:51 UTC 2011 Modified Files: src/sys/net [netbsd-5-0]: raw_usrreq.c Log Message: Pull up following revision(s) (requested by pooka in ticket #1529): sys/net/raw_usrreq.c: revision 1.36 Apply patch from PR kern/44369 by Wolfgang Stukenbrock. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.14.1 src/sys/net/raw_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/raw_usrreq.c diff -u src/sys/net/raw_usrreq.c:1.35 src/sys/net/raw_usrreq.c:1.35.14.1 --- src/sys/net/raw_usrreq.c:1.35 Thu May 29 17:26:56 2008 +++ src/sys/net/raw_usrreq.c Sun Jan 16 13:04:51 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_usrreq.c,v 1.35 2008/05/29 17:26:56 dyoung Exp $ */ +/* $NetBSD: raw_usrreq.c,v 1.35.14.1 2011/01/16 13:04:51 bouyer Exp $ */ /* * Copyright (c) 1980, 1986, 1993 @@ -32,7 +32,7 @@ */ #include sys/cdefs.h -__KERNEL_RCSID(0, $NetBSD: raw_usrreq.c,v 1.35 2008/05/29 17:26:56 dyoung Exp $); +__KERNEL_RCSID(0, $NetBSD: raw_usrreq.c,v 1.35.14.1 2011/01/16 13:04:51 bouyer Exp $); #include sys/param.h #include sys/mbuf.h @@ -276,7 +276,8 @@ /* * stat: don't bother with a blocksize. */ - return (0); + error = 0; + break; /* * Not supported.
