Module Name: src
Committed By: gson
Date: Thu Mar 15 13:25:46 UTC 2012
Modified Files:
src/sys/netinet: rfc6056.c
Log Message:
Fix random kernel memory corruption by algo_doublehash(). And by
"random" I don't mean just "arbitary" as in using an uninitialized
pointer, but random as in corrupting the contents of memory addresses
chosen using a crypto-strength random number generator.
I believe this is the likely cause of multiple reports of random
crashes over the last six months, including kern/45677 and kern/46096.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/sys/netinet/rfc6056.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/rfc6056.c
diff -u src/sys/netinet/rfc6056.c:1.4 src/sys/netinet/rfc6056.c:1.5
--- src/sys/netinet/rfc6056.c:1.4 Sat Nov 19 22:51:25 2011
+++ src/sys/netinet/rfc6056.c Thu Mar 15 13:25:46 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: rfc6056.c,v 1.4 2011/11/19 22:51:25 tls Exp $ */
+/* $NetBSD: rfc6056.c,v 1.5 2012/03/15 13:25:46 gson Exp $ */
/*
* Copyright 2011 Vlad Balan
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rfc6056.c,v 1.4 2011/11/19 22:51:25 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rfc6056.c,v 1.5 2012/03/15 13:25:46 gson Exp $");
#include "opt_inet.h"
@@ -665,8 +665,9 @@ algo_doublehash(int algo, uint16_t *port
uint16_t count, num_ephemeral;
uint16_t mymin, mymax, lastport;
uint16_t *next_ephemeral;
- uint16_t offset, idx, myport;
+ uint16_t offset, myport;
static uint16_t dhtable[8];
+ size_t idx;
int error;
DPRINTF("%s called\n", __func__);
@@ -688,7 +689,7 @@ algo_doublehash(int algo, uint16_t *port
/* Ephemeral port selection function */
num_ephemeral = mymax - mymin + 1;
offset = Fhash(inp_hdr);
- idx = Fhash(inp_hdr); /* G */
+ idx = Fhash(inp_hdr) % __arraycount(dhtable); /* G */
count = num_ephemeral;
do {
