CVS commit: [netbsd-5-1] src/sys/net
Module Name:src Committed By: msaitoh Date: Wed Sep 11 07:31:20 UTC 2013 Modified Files: src/sys/net [netbsd-5-1]: bpf.c Log Message: Pull up following revision(s) (requested by spz in ticket #1874): sys/net/bpf.c: revision 1.176 via patch PR/48198: Peter Bex: Avoid kernel panic caused by setting a very small bpf buffer size. To generate a diff of this commit: cvs rdiff -u -r1.141.6.1 -r1.141.6.1.6.1 src/sys/net/bpf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/bpf.c diff -u src/sys/net/bpf.c:1.141.6.1 src/sys/net/bpf.c:1.141.6.1.6.1 --- src/sys/net/bpf.c:1.141.6.1 Sat Apr 4 23:36:28 2009 +++ src/sys/net/bpf.c Wed Sep 11 07:31:20 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: bpf.c,v 1.141.6.1 2009/04/04 23:36:28 snj Exp $ */ +/* $NetBSD: bpf.c,v 1.141.6.1.6.1 2013/09/11 07:31:20 msaitoh Exp $ */ /* * Copyright (c) 1990, 1991, 1993 @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.141.6.1 2009/04/04 23:36:28 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.141.6.1.6.1 2013/09/11 07:31:20 msaitoh Exp $"); #if defined(_KERNEL_OPT) #include "opt_bpf.h" @@ -1453,7 +1453,7 @@ catchpacket(struct bpf_d *d, u_char *pkt void *(*cpfn)(void *, const void *, size_t), struct timeval *tv) { struct bpf_hdr *hp; - int totlen, curlen; + int totlen, curlen, caplen; int hdrlen = d->bd_bif->bif_hdrlen; int do_wakeup = 0; @@ -1468,6 +1468,13 @@ catchpacket(struct bpf_d *d, u_char *pkt totlen = hdrlen + min(snaplen, pktlen); if (totlen > d->bd_bufsize) totlen = d->bd_bufsize; + /* + * If we adjusted totlen to fit the bufsize, it could be that + * totlen is smaller than hdrlen because of the link layer header. + */ + caplen = totlen - hdrlen; + if (caplen < 0) + caplen = 0; /* * Round up the end of the previous packet to the next longword. @@ -1507,10 +1514,11 @@ catchpacket(struct bpf_d *d, u_char *pkt hp->bh_tstamp = *tv; hp->bh_datalen = pktlen; hp->bh_hdrlen = hdrlen; + hp->bh_caplen = caplen; /* * Copy the packet data into the store buffer and update its length. */ - (*cpfn)((u_char *)hp + hdrlen, pkt, (hp->bh_caplen = totlen - hdrlen)); + (*cpfn)((u_char *)hp + hdrlen, pkt, caplen); d->bd_slen = curlen + totlen; /*
CVS commit: [netbsd-5-1] src/sys/net
Module Name:src Committed By: bouyer Date: Sun Feb 5 12:35:15 UTC 2012 Modified Files: src/sys/net [netbsd-5-1]: route.c Log Message: Pull up following revision(s) (requested by christos in ticket #1721): sys/net/route.c: revision 1.126 Count length from the beginning of the structure not the sa_data portion. =46rom skrll@ To generate a diff of this commit: cvs rdiff -u -r1.113.4.1 -r1.113.4.1.6.1 src/sys/net/route.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/route.c diff -u src/sys/net/route.c:1.113.4.1 src/sys/net/route.c:1.113.4.1.6.1 --- src/sys/net/route.c:1.113.4.1 Fri Apr 3 17:59:03 2009 +++ src/sys/net/route.c Sun Feb 5 12:35:15 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: route.c,v 1.113.4.1 2009/04/03 17:59:03 snj Exp $ */ +/* $NetBSD: route.c,v 1.113.4.1.6.1 2012/02/05 12:35:15 bouyer Exp $ */ /*- * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc. @@ -93,7 +93,7 @@ #include "opt_route.h" #include -__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.113.4.1 2009/04/03 17:59:03 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.113.4.1.6.1 2012/02/05 12:35:15 bouyer Exp $"); #include #include @@ -847,8 +847,8 @@ rt_maskedcopy(const struct sockaddr *src const char *netmaskp = &netmask->sa_data[0], *srcp = &src->sa_data[0]; char *dstp = &dst->sa_data[0]; - const char *maskend = dstp + MIN(netmask->sa_len, src->sa_len); - const char *srcend = dstp + src->sa_len; + const char *maskend = (char *)dst + MIN(netmask->sa_len, src->sa_len); + const char *srcend = (char *)dst + src->sa_len; dst->sa_len = src->sa_len; dst->sa_family = src->sa_family;
CVS commit: [netbsd-5-1] src/sys/net
Module Name:src Committed By: riz Date: Mon Aug 8 19:35:16 UTC 2011 Modified Files: src/sys/net [netbsd-5-1]: if.c Log Message: Pull up following revision(s) (requested by sborrill in ticket #1643): sys/net/if.c: revision 1.243 Prevent if_detach() from crashing while it walks the routing table to find and unlink routes that reference the detached ifnet: make if_rt_walktree() return ERESTART whenever it has deleted a route. Whenever rt_walktree() returns ERESTART, if_detach() restarts it. I believe that this fix resembles one by Jonathan Kollasch or by someone else, which has languished in a PR for too long. Sorry! Tested by me and by Jeff Rizzo. XXX It's supposed to be safe for rn_walktree() to apply to the routing XXX table a routine that may delete routes. Why isn't it safe in XXX practice? To generate a diff of this commit: cvs rdiff -u -r1.230.4.3 -r1.230.4.3.2.1 src/sys/net/if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/if.c diff -u src/sys/net/if.c:1.230.4.3 src/sys/net/if.c:1.230.4.3.2.1 --- src/sys/net/if.c:1.230.4.3 Sat Jun 12 16:37:55 2010 +++ src/sys/net/if.c Mon Aug 8 19:35:15 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: if.c,v 1.230.4.3 2010/06/12 16:37:55 riz Exp $ */ +/* $NetBSD: if.c,v 1.230.4.3.2.1 2011/08/08 19:35:15 riz Exp $ */ /*- * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc. @@ -90,7 +90,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.230.4.3 2010/06/12 16:37:55 riz Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.230.4.3.2.1 2011/08/08 19:35:15 riz Exp $"); #include "opt_inet.h" @@ -726,8 +726,10 @@ if_free_sadl(ifp); /* Walk the routing table looking for stragglers. */ - for (i = 0; i <= AF_MAX; i++) - (void)rt_walktree(i, if_rt_walktree, ifp); + for (i = 0; i <= AF_MAX; i++) { + while (rt_walktree(i, if_rt_walktree, ifp) == ERESTART) + ; + } DOMAIN_FOREACH(dp) { if (dp->dom_ifdetach != NULL && ifp->if_afdata[dp->dom_family]) @@ -838,7 +840,7 @@ if (error != 0) printf("%s: warning: unable to delete rtentry @ %p, " "error = %d\n", ifp->if_xname, rt, error); - return 0; + return ERESTART; } /*
CVS commit: [netbsd-5-1] src/sys/net
Module Name:src Committed By: bouyer Date: Sun Mar 20 21:28:13 UTC 2011 Modified Files: src/sys/net [netbsd-5-1]: bpf_filter.c Log Message: Pull up following revision(s) (requested by spz in ticket #1571): sys/net/bpf_filter.c: revision 1.42 - 1.46 via patch Avoid stack memory disclosure by keeping track during filter validation time of initialized memory. Idea taken from linux. Use __CTASSERT Use kmem instead of malloc. Requested by rmind. Fix userland build. delint. To generate a diff of this commit: cvs rdiff -u -r1.35.4.1 -r1.35.4.1.2.1 src/sys/net/bpf_filter.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/bpf_filter.c diff -u src/sys/net/bpf_filter.c:1.35.4.1 src/sys/net/bpf_filter.c:1.35.4.1.2.1 --- src/sys/net/bpf_filter.c:1.35.4.1 Thu May 20 05:13:13 2010 +++ src/sys/net/bpf_filter.c Sun Mar 20 21:28:13 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: bpf_filter.c,v 1.35.4.1 2010/05/20 05:13:13 snj Exp $ */ +/* $NetBSD: bpf_filter.c,v 1.35.4.1.2.1 2011/03/20 21:28:13 bouyer Exp $ */ /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -37,7 +37,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.35.4.1 2010/05/20 05:13:13 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.35.4.1.2.1 2011/03/20 21:28:13 bouyer Exp $"); #if 0 #if !(defined(lint) || defined(KERNEL)) @@ -48,6 +48,7 @@ #include #include +#include #include #define EXTRACT_SHORT(p) be16dec(p) @@ -147,8 +148,7 @@ A = 0; X = 0; --pc; - /* CONSTCOND */ - while (1) { + for (;;) { ++pc; switch (pc->code) { @@ -157,6 +157,7 @@ return 0; #else abort(); + /*NOTREACHED*/ #endif case BPF_RET|BPF_K: return (u_int)pc->k; @@ -461,16 +462,38 @@ * The kernel needs to be able to verify an application's filter code. * Otherwise, a bogus program could easily crash the system. */ +CTASSERT(BPF_MEMWORDS == sizeof(uint16_t) * NBBY); + int -bpf_validate(struct bpf_insn *f, int len) +bpf_validate(struct bpf_insn *f, int signed_len) { - u_int i, from; - struct bpf_insn *p; + u_int i, from, len, ok = 0; + const struct bpf_insn *p; +#if defined(KERNEL) || defined(_KERNEL) + uint16_t *mem, invalid; + size_t size; +#endif - if (len < 1 || len > BPF_MAXINSNS) + len = (u_int)signed_len; + if (len < 1) + return 0; +#if defined(KERNEL) || defined(_KERNEL) + if (len > BPF_MAXINSNS) + return 0; +#endif + if (BPF_CLASS(f[len - 1].code) != BPF_RET) return 0; +#if defined(KERNEL) || defined(_KERNEL) + mem = kmem_zalloc(size = sizeof(*mem) * len, KM_SLEEP); + invalid = ~0; /* All is invalid on startup */ +#endif + for (i = 0; i < len; ++i) { +#if defined(KERNEL) || defined(_KERNEL) + /* blend in any invalid bits for current pc */ + invalid |= mem[i]; +#endif p = &f[i]; switch (BPF_CLASS(p->code)) { /* @@ -480,8 +503,22 @@ case BPF_LDX: switch (BPF_MODE(p->code)) { case BPF_MEM: +/* + * There's no maximum packet data size + * in userland. The runtime packet length + * check suffices. + */ +#if defined(KERNEL) || defined(_KERNEL) +/* + * More strict check with actual packet length + * is done runtime. + */ if (p->k >= BPF_MEMWORDS) - return 0; + goto out; +/* check for current memory invalid */ +if (invalid & (1 << p->k)) + goto out; +#endif break; case BPF_ABS: case BPF_IND: @@ -490,13 +527,17 @@ case BPF_LEN: break; default: -return 0; +goto out; } break; case BPF_ST: case BPF_STX: if (p->k >= BPF_MEMWORDS) -return 0; +goto out; +#if defined(KERNEL) || defined(_KERNEL) + /* validate the memory word */ + invalid &= ~(1 << p->k); +#endif break; case BPF_ALU: switch (BPF_OP(p->code)) { @@ -514,10 +555,10 @@ * Check for constant division by 0. */ if (BPF_SRC(p->code) == BPF_K && p->k == 0) - return 0; + goto out; break; default: -return 0; +goto out; } break; case BPF_JMP: @@ -540,18 +581,37 @@ from = i + 1; switch (BPF_OP(p->code)) { case BPF_JA: -if (from + p->k < from || from + p->k >= len) - return 0; +if (from + p->k >= len) + goto out; +#if defined(KERNEL) || defined(_KERNEL) +if (from + p->k < from) + goto out; +/* + * mark the currently invalid bits for the + * destination + */ +mem[from + p->k] |= invalid; +invalid = 0; +#endif break; case BPF_JEQ: case BPF_JGT: case BPF_JGE: case BPF_JSET: if (from + p->jt >= len || from + p->jf >= len) - return 0; + goto out; +#if defined(KERNEL) || defined(_KERNEL) +/* + * mark the currently invalid bits for both + * possible jump destinations + */ +mem[from + p->jt] |= invalid; +mem[from + p->jf] |= invalid; +invalid = 0; +#endif break; default: -return 0
CVS commit: [netbsd-5-1] src/sys/net
Module Name:src Committed By: bouyer Date: Sun Jan 16 13:04:45 UTC 2011 Modified Files: src/sys/net [netbsd-5-1]: raw_usrreq.c Log Message: Pull up following revision(s) (requested by pooka in ticket #1529): sys/net/raw_usrreq.c: revision 1.36 Apply patch from PR kern/44369 by Wolfgang Stukenbrock. To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.35.22.1 src/sys/net/raw_usrreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/net/raw_usrreq.c diff -u src/sys/net/raw_usrreq.c:1.35 src/sys/net/raw_usrreq.c:1.35.22.1 --- src/sys/net/raw_usrreq.c:1.35 Thu May 29 17:26:56 2008 +++ src/sys/net/raw_usrreq.c Sun Jan 16 13:04:45 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_usrreq.c,v 1.35 2008/05/29 17:26:56 dyoung Exp $ */ +/* $NetBSD: raw_usrreq.c,v 1.35.22.1 2011/01/16 13:04:45 bouyer Exp $ */ /* * Copyright (c) 1980, 1986, 1993 @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: raw_usrreq.c,v 1.35 2008/05/29 17:26:56 dyoung Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_usrreq.c,v 1.35.22.1 2011/01/16 13:04:45 bouyer Exp $"); #include #include @@ -276,7 +276,8 @@ /* * stat: don't bother with a blocksize. */ - return (0); + error = 0; + break; /* * Not supported.