CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: msaitoh Date: Wed Aug 27 14:45:11 UTC 2014 Modified Files: src/sys/netinet6 [netbsd-6-1]: ip6_output.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1114): sys/netinet6/ip6_output.c 1.158 via patch Fix a memory leak in calling setsockopt() on an INET6 socket. To generate a diff of this commit: cvs rdiff -u -r1.145 -r1.145.8.1 src/sys/netinet6/ip6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_output.c diff -u src/sys/netinet6/ip6_output.c:1.145 src/sys/netinet6/ip6_output.c:1.145.8.1 --- src/sys/netinet6/ip6_output.c:1.145 Sun Feb 5 00:41:15 2012 +++ src/sys/netinet6/ip6_output.c Wed Aug 27 14:45:11 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_output.c,v 1.145 2012/02/05 00:41:15 rmind Exp $ */ +/* $NetBSD: ip6_output.c,v 1.145.8.1 2014/08/27 14:45:11 msaitoh Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.145 2012/02/05 00:41:15 rmind Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.145.8.1 2014/08/27 14:45:11 msaitoh Exp $"); #include "opt_inet.h" #include "opt_inet6.h" @@ -1781,6 +1781,8 @@ else \ optp = &in6p->in6p_outputopts; error = ip6_pcbopt(optname, optbuf, optbuflen, optp, kauth_cred_get(), uproto); + + free(optbuf, M_IP6OPT); break; } #undef OPTSET
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src
Committed By: jdc
Date: Fri Jul 12 11:18:57 UTC 2013
Modified Files:
src/sys/netinet6 [netbsd-6-1]: nd6_rtr.c
Log Message:
Pull up revision 1.84 via patch to fix gcc 4.1 compilation error
(uninitialised variable):
Some fun in trying to work out what was broken with gcc-4.1 to
trigger the following warning when gcc-4.5 was silent:
nd6_rtr.c: In function 'nd6_ra_input':
nd6_rtr.c:788: warning: 'ext' may be used uninitialized in this function
Eventually determined that it was not unreasonable for gcc-4.1 to
bleat in this case as there is a nasty 'goto insert' which could
indeed have resulted in an uninitialised variable use. Yay gcc 4.1.
To generate a diff of this commit:
cvs rdiff -u -r1.82.10.1 -r1.82.10.2 src/sys/netinet6/nd6_rtr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/nd6_rtr.c
diff -u src/sys/netinet6/nd6_rtr.c:1.82.10.1 src/sys/netinet6/nd6_rtr.c:1.82.10.2
--- src/sys/netinet6/nd6_rtr.c:1.82.10.1 Mon Jul 8 07:40:56 2013
+++ src/sys/netinet6/nd6_rtr.c Fri Jul 12 11:18:57 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: nd6_rtr.c,v 1.82.10.1 2013/07/08 07:40:56 jdc Exp $ */
+/* $NetBSD: nd6_rtr.c,v 1.82.10.2 2013/07/12 11:18:57 jdc Exp $ */
/* $KAME: nd6_rtr.c,v 1.95 2001/02/07 08:09:47 itojun Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.82.10.1 2013/07/08 07:40:56 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.82.10.2 2013/07/12 11:18:57 jdc Exp $");
#include
#include
@@ -744,6 +744,7 @@ static struct nd_defrouter *
defrtrlist_update(struct nd_defrouter *new)
{
struct nd_defrouter *dr, *n;
+ struct in6_ifextra *ext = new->ifp->if_afdata[AF_INET6];
int s = splsoftnet();
if ((dr = defrouter_lookup(&new->rtaddr, new->ifp)) != NULL) {
@@ -785,7 +786,6 @@ defrtrlist_update(struct nd_defrouter *n
return (dr);
}
- struct in6_ifextra *ext = new->ifp->if_afdata[AF_INET6];
if (ip6_maxifdefrouters >= 0 &&
ext->ndefrouters >= ip6_maxifdefrouters) {
splx(s);
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src
Committed By: snj
Date: Thu Aug 8 21:57:40 UTC 2013
Modified Files:
src/sys/netinet6 [netbsd-6-1]: nd6_rtr.c
Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #926):
sys/netinet6/nd6_rtr.c: revision 1.86
PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
it's link-local address.
To generate a diff of this commit:
cvs rdiff -u -r1.82.10.2 -r1.82.10.3 src/sys/netinet6/nd6_rtr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/nd6_rtr.c
diff -u src/sys/netinet6/nd6_rtr.c:1.82.10.2 src/sys/netinet6/nd6_rtr.c:1.82.10.3
--- src/sys/netinet6/nd6_rtr.c:1.82.10.2 Fri Jul 12 11:18:57 2013
+++ src/sys/netinet6/nd6_rtr.c Thu Aug 8 21:57:40 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: nd6_rtr.c,v 1.82.10.2 2013/07/12 11:18:57 jdc Exp $ */
+/* $NetBSD: nd6_rtr.c,v 1.82.10.3 2013/08/08 21:57:40 snj Exp $ */
/* $KAME: nd6_rtr.c,v 1.95 2001/02/07 08:09:47 itojun Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.82.10.2 2013/07/12 11:18:57 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6_rtr.c,v 1.82.10.3 2013/08/08 21:57:40 snj Exp $");
#include
#include
@@ -1038,10 +1038,12 @@ prelist_remove(struct nd_prefix *pr)
free(pfr, M_IP6NDP);
}
- ext->nprefixes--;
- if (ext->nprefixes < 0) {
- log(LOG_WARNING, "prelist_remove: negative count on %s\n",
- pr->ndpr_ifp->if_xname);
+ if (ext) {
+ ext->nprefixes--;
+ if (ext->nprefixes < 0) {
+ log(LOG_WARNING, "prelist_remove: negative count on "
+ "%s\n", pr->ndpr_ifp->if_xname);
+ }
}
splx(s);
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: msaitoh Date: Wed Sep 18 03:23:56 UTC 2013 Modified Files: src/sys/netinet6 [netbsd-6-1]: in6.c Log Message: Pull up following revision(s) (requested by spz in ticket #944): sys/netinet6/in6.c: revision 1.167 via patch Include BRDADDR and NETMASK to the v4 ioctls we ban for v6; from FreeBSD. To generate a diff of this commit: cvs rdiff -u -r1.159.10.1 -r1.159.10.2 src/sys/netinet6/in6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/in6.c diff -u src/sys/netinet6/in6.c:1.159.10.1 src/sys/netinet6/in6.c:1.159.10.2 --- src/sys/netinet6/in6.c:1.159.10.1 Mon Jul 8 07:40:56 2013 +++ src/sys/netinet6/in6.c Wed Sep 18 03:23:56 2013 @@ -1,4 +1,4 @@ -/* $NetBSD: in6.c,v 1.159.10.1 2013/07/08 07:40:56 jdc Exp $ */ +/* $NetBSD: in6.c,v 1.159.10.2 2013/09/18 03:23:56 msaitoh Exp $ */ /* $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.159.10.1 2013/07/08 07:40:56 jdc Exp $"); +__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.159.10.2 2013/09/18 03:23:56 msaitoh Exp $"); #include "opt_inet.h" #include "opt_pfil_hooks.h" @@ -367,6 +367,8 @@ in6_control1(struct socket *so, u_long c #ifdef SIOCSIFCONF_X25 case SIOCSIFCONF_X25: #endif + case SIOCSIFBRDADDR: + case SIOCSIFNETMASK: return EOPNOTSUPP; case SIOCGETSGCNT_IN6: case SIOCGETMIFCNT_IN6:
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src
Committed By: martin
Date: Tue Jan 30 18:45:59 UTC 2018
Modified Files:
src/sys/netinet6 [netbsd-6-1]: frag6.c ip6_input.c ip6_var.h raw_ip6.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1523):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
sys/netinet6/ah_input.c: adjust other callers (patch)
sys/netinet6/esp_input.c: adjust other callers (patch)
sys/netinet6/ipcomp_input.c: adjust other callers (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.
To generate a diff of this commit:
cvs rdiff -u -r1.52.2.2 -r1.52.2.2.2.1 src/sys/netinet6/frag6.c
cvs rdiff -u -r1.136.8.1 -r1.136.8.2 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.58.8.1 -r1.58.8.2 src/sys/netinet6/ip6_var.h
cvs rdiff -u -r1.109 -r1.109.8.1 src/sys/netinet6/raw_ip6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.52.2.2 src/sys/netinet6/frag6.c:1.52.2.2.2.1
--- src/sys/netinet6/frag6.c:1.52.2.2 Thu Oct 25 17:23:33 2012
+++ src/sys/netinet6/frag6.c Tue Jan 30 18:45:59 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $ */
+/* $NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $ */
/* $KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2 2012/10/25 17:23:33 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.52.2.2.2.1 2018/01/30 18:45:59 martin Exp $");
#include
#include
@@ -441,14 +441,6 @@ insert:
m_cat(m, t);
}
- /*
- * Store NXT to the original.
- */
- {
- u_int8_t *prvnxtp = ip6_get_prevhdr(m, offset); /* XXX */
- *prvnxtp = nxt;
- }
-
frag6_remque(q6);
frag6_nfrags -= q6->ip6q_nfrag;
kmem_intr_free(q6, sizeof(struct ip6q));
@@ -461,6 +453,21 @@ insert:
m->m_pkthdr.len = plen;
}
+ /*
+ * Restore NXT to the original.
+ */
+ {
+ const int prvnxt = ip6_get_prevhdr(m, offset);
+ uint8_t *prvnxtp;
+
+ IP6_EXTHDR_GET(prvnxtp, uint8_t *, m, prvnxt,
+ sizeof(*prvnxtp));
+ if (prvnxtp == NULL) {
+ goto dropfrag;
+ }
+ *prvnxtp = nxt;
+ }
+
IP6_STATINC(IP6_STAT_REASSEMBLED);
in6_ifstat_inc(dstifp, ifs6_reass_ok);
Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.136.8.1 src/sys/netinet6/ip6_input.c:1.136.8.2
--- src/sys/netinet6/ip6_input.c:1.136.8.1 Mon Jul 8 07:40:56 2013
+++ src/sys/netinet6/ip6_input.c Tue Jan 30 18:45:59 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $ */
+/* $NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.1 2013/07/08 07:40:56 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.8.2 2018/01/30 18:45:59 martin Exp $");
#include "opt_gateway.h"
#include "opt_inet.h"
@@ -1419,50 +1419,44 @@ ip6_pullexthdr(struct mbuf *m, size_t of
}
/*
- * Get pointer to the previous header followed by the header
+ * Get offset to the previous header followed by the header
* currently processed.
- * XXX: This funct
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Tue Jan 30 22:10:56 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: ah_input.c esp_input.c ipcomp_input.c Log Message: Ooops, remainder of Ticket #1523, accidently not commited previously To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.59.14.1 src/sys/netinet6/ah_input.c cvs rdiff -u -r1.50 -r1.50.14.1 src/sys/netinet6/esp_input.c cvs rdiff -u -r1.38 -r1.38.14.1 src/sys/netinet6/ipcomp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ah_input.c diff -u src/sys/netinet6/ah_input.c:1.59 src/sys/netinet6/ah_input.c:1.59.14.1 --- src/sys/netinet6/ah_input.c:1.59 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ah_input.c Tue Jan 30 22:10:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.59.14.1 2018/01/30 22:10:56 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -858,7 +858,8 @@ ah6_input(struct mbuf **mp, int *offp, i * next header field of the previous header. * This is necessary because AH will be stripped off below. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; ip6 = mtod(m, struct ip6_hdr *); Index: src/sys/netinet6/esp_input.c diff -u src/sys/netinet6/esp_input.c:1.50 src/sys/netinet6/esp_input.c:1.50.14.1 --- src/sys/netinet6/esp_input.c:1.50 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/esp_input.c Tue Jan 30 22:10:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: esp_input.c,v 1.50.14.1 2018/01/30 22:10:56 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -834,7 +834,8 @@ noreplaycheck: /* * Set the next header field of the previous header correctly. */ - prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; stripsiz = esplen + ivlen; Index: src/sys/netinet6/ipcomp_input.c diff -u src/sys/netinet6/ipcomp_input.c:1.38 src/sys/netinet6/ipcomp_input.c:1.38.14.1 --- src/sys/netinet6/ipcomp_input.c:1.38 Sun Jul 17 20:54:53 2011 +++ src/sys/netinet6/ipcomp_input.c Tue Jan 30 22:10:56 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $ */ +/* $NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $ */ /* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38 2011/07/17 20:54:53 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.38.14.1 2018/01/30 22:10:56 martin Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -352,7 +352,8 @@ ipcomp6_input(struct mbuf **mp, int *off m->m_flags |= M_DECRYPTED; /* update next header field */ - prvnxtp = ip6_get_prevhdr(m, off); + const int prvnxt = ip6_get_prevhdr(m, off); + prvnxtp = (mtod(m, u_int8_t *) + prvnxt); /* XXX */ *prvnxtp = nxt; /*
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Fri Feb 2 11:08:30 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: ip6_mroute.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1524): sys/netinet6/ip6_mroute.c: revision 1.120 Fix a pretty simple, yet pretty tragic typo: we should return IPPROTO_DONE, not IPPROTO_NONE. With IPPROTO_NONE we will keep parsing the header chain on an mbuf that was already freed. To generate a diff of this commit: cvs rdiff -u -r1.103 -r1.103.16.1 src/sys/netinet6/ip6_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_mroute.c diff -u src/sys/netinet6/ip6_mroute.c:1.103 src/sys/netinet6/ip6_mroute.c:1.103.16.1 --- src/sys/netinet6/ip6_mroute.c:1.103 Sat Dec 31 20:41:59 2011 +++ src/sys/netinet6/ip6_mroute.c Fri Feb 2 11:08:30 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $ */ +/* $NetBSD: ip6_mroute.c,v 1.103.16.1 2018/02/02 11:08:30 martin Exp $ */ /* $KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $ */ /* @@ -117,7 +117,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103 2011/12/31 20:41:59 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.103.16.1 2018/02/02 11:08:30 martin Exp $"); #include "opt_inet.h" #include "opt_mrouting.h" @@ -1864,7 +1864,7 @@ pim6_input(struct mbuf **mp, int *offp, (eip6->ip6_vfc & IPV6_VERSION)); #endif m_freem(m); - return (IPPROTO_NONE); + return (IPPROTO_DONE); } /* verify the inner packet is destined to a mcast group */
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src
Committed By: martin
Date: Fri Feb 2 13:11:32 UTC 2018
Modified Files:
src/sys/netinet6 [netbsd-6-1]: nd6_nbr.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1525):
sys/netinet6/nd6_nbr.c: revision 1.145 (patch)
Fix memory leak. Contrary to what the XXX indicates, this place is 100%
reachable remotely.
To generate a diff of this commit:
cvs rdiff -u -r1.95 -r1.95.8.1 src/sys/netinet6/nd6_nbr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/nd6_nbr.c
diff -u src/sys/netinet6/nd6_nbr.c:1.95 src/sys/netinet6/nd6_nbr.c:1.95.8.1
--- src/sys/netinet6/nd6_nbr.c:1.95 Mon Dec 19 11:59:58 2011
+++ src/sys/netinet6/nd6_nbr.c Fri Feb 2 13:11:32 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $ */
+/* $NetBSD: nd6_nbr.c,v 1.95.8.1 2018/02/02 13:11:32 martin Exp $ */
/* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95.8.1 2018/02/02 13:11:32 martin Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@@ -589,7 +589,7 @@ nd6_na_input(struct mbuf *m, int off, in
taddr6 = nd_na->nd_na_target;
if (in6_setscope(&taddr6, ifp, NULL))
- return; /* XXX: impossible */
+ goto bad;
if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
nd6log((LOG_ERR,
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src Committed By: martin Date: Sun Apr 1 09:19:32 UTC 2018 Modified Files: src/sys/netinet6 [netbsd-6-1]: ip6_forward.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1540): sys/netinet6/ip6_forward.c: revision 1.91 (via patch) Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed, and a 'goto out' is missing after ipsec6_process_packet. To generate a diff of this commit: cvs rdiff -u -r1.69.8.1 -r1.69.8.2 src/sys/netinet6/ip6_forward.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netinet6/ip6_forward.c diff -u src/sys/netinet6/ip6_forward.c:1.69.8.1 src/sys/netinet6/ip6_forward.c:1.69.8.2 --- src/sys/netinet6/ip6_forward.c:1.69.8.1 Tue Mar 13 16:43:04 2018 +++ src/sys/netinet6/ip6_forward.c Sun Apr 1 09:19:32 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $ */ +/* $NetBSD: ip6_forward.c,v 1.69.8.2 2018/04/01 09:19:32 martin Exp $ */ /* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ /* @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.2 2018/04/01 09:19:32 martin Exp $"); #include "opt_gateway.h" #include "opt_ipsec.h" @@ -361,9 +361,10 @@ ip6_forward(struct mbuf *m, int srcrt) * because we asked key management for an SA and * it was delayed (e.g. kicked up to IKE). */ - if (error == -EINVAL) - error = 0; - goto freecopy; + if (error == -EINVAL) + error = 0; + m_freem(m); + goto freecopy; } #endif /* FAST_IPSEC */ @@ -467,8 +468,10 @@ ip6_forward(struct mbuf *m, int srcrt) s = splsoftnet(); error = ipsec6_process_packet(m,sp->req); splx(s); + /* m is freed */ if (mcopy) goto freecopy; + return; } #endif
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src
Committed By: martin
Date: Sun Apr 1 09:23:39 UTC 2018
Modified Files:
src/sys/netinet6 [netbsd-6-1]: raw_ip6.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1541):
sys/netinet6/raw_ip6.c: revision 1.161
Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so
it is wrong to read ip6->ip6_nxt.
To generate a diff of this commit:
cvs rdiff -u -r1.109.8.1 -r1.109.8.2 src/sys/netinet6/raw_ip6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.109.8.1 src/sys/netinet6/raw_ip6.c:1.109.8.2
--- src/sys/netinet6/raw_ip6.c:1.109.8.1 Tue Jan 30 18:45:59 2018
+++ src/sys/netinet6/raw_ip6.c Sun Apr 1 09:23:39 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: raw_ip6.c,v 1.109.8.1 2018/01/30 18:45:59 martin Exp $ */
+/* $NetBSD: raw_ip6.c,v 1.109.8.2 2018/04/01 09:23:39 martin Exp $ */
/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.8.1 2018/01/30 18:45:59 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.8.2 2018/04/01 09:23:39 martin Exp $");
#include "opt_ipsec.h"
@@ -502,6 +502,7 @@ rip6_output(struct mbuf *m, struct socke
if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 ||
in6p->in6p_cksum != -1) {
+ const uint8_t nxt = ip6->ip6_nxt;
int off;
u_int16_t sum;
@@ -523,7 +524,7 @@ rip6_output(struct mbuf *m, struct socke
error = ENOBUFS;
goto bad;
}
- sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen);
+ sum = in6_cksum(m, nxt, sizeof(*ip6), plen);
m = m_copyback_cow(m, off, sizeof(sum), (void *)&sum,
M_DONTWAIT);
if (m == NULL) {
CVS commit: [netbsd-6-1] src/sys/netinet6
Module Name:src
Committed By: snj
Date: Tue Mar 13 16:43:05 UTC 2018
Modified Files:
src/sys/netinet6 [netbsd-6-1]: ip6_forward.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1518):
sys/netinet6/ip6_forward.c: 1.89-1.90 via patch
Fix use-after-free of mbuf by ip6flow_create
This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd.
--
Fix use-after-free of mbuf by ip6flow_create (one more)
To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.69.8.1 src/sys/netinet6/ip6_forward.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/ip6_forward.c
diff -u src/sys/netinet6/ip6_forward.c:1.69 src/sys/netinet6/ip6_forward.c:1.69.8.1
--- src/sys/netinet6/ip6_forward.c:1.69 Mon Dec 19 11:59:58 2011
+++ src/sys/netinet6/ip6_forward.c Tue Mar 13 16:43:04 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $ */
+/* $NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $ */
/* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */
/*
@@ -31,7 +31,7 @@
*/
#include
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.8.1 2018/03/13 16:43:04 snj Exp $");
#include "opt_gateway.h"
#include "opt_ipsec.h"
@@ -645,8 +645,8 @@ ip6_forward(struct mbuf *m, int srcrt)
IP6_STATINC(IP6_STAT_REDIRECTSENT);
else {
#ifdef GATEWAY
- if (m->m_flags & M_CANFASTFWD)
-ip6flow_create(&ip6_forward_rt, m);
+ if (mcopy->m_flags & M_CANFASTFWD)
+ip6flow_create(&ip6_forward_rt, mcopy);
#endif
if (mcopy)
goto freecopy;
