Module Name: src
Committed By: christos
Date: Thu Oct 12 18:27:38 UTC 2017
Modified Files:
src/sys/external/bsd/ipf/netinet: ip_state.c
Log Message:
When growing the state, remember to grow the seed array, otherwise we'll end
up accessing memory we did not allocate.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/external/bsd/ipf/netinet/ip_state.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/bsd/ipf/netinet/ip_state.c
diff -u src/sys/external/bsd/ipf/netinet/ip_state.c:1.8 src/sys/external/bsd/ipf/netinet/ip_state.c:1.9
--- src/sys/external/bsd/ipf/netinet/ip_state.c:1.8 Sat Jul 1 12:34:17 2017
+++ src/sys/external/bsd/ipf/netinet/ip_state.c Thu Oct 12 14:27:38 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_state.c,v 1.8 2017/07/01 16:34:17 khorben Exp $ */
+/* $NetBSD: ip_state.c,v 1.9 2017/10/12 18:27:38 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@@ -100,7 +100,7 @@ struct file;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.8 2017/07/01 16:34:17 khorben Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.9 2017/10/12 18:27:38 christos Exp $");
#else
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_state.c,v 1.1.1.2 2012/07/22 13:45:37 darrenr Exp";
@@ -298,6 +298,32 @@ ipf_state_soft_destroy(ipf_main_softc_t
KFREE(softs);
}
+static void *
+ipf_state_seed_alloc(u_int state_size, u_int state_max)
+{
+ u_int i;
+ u_long *state_seed;
+ KMALLOCS(state_seed, u_long *, state_size * sizeof(*state_seed));
+ if (state_seed == NULL)
+ return NULL;
+
+ for (i = 0; i < state_size; i++) {
+ /*
+ * XXX - ipf_state_seed[X] should be a random number of sorts.
+ */
+#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
+ state_seed[i] = cprng_fast32();
+#else
+ state_seed[i] = ((u_long)state_seed + i) * state_size;
+ state_seed[i] ^= 0xa5a55a5a;
+ state_seed[i] *= state_seed;
+ state_seed[i] ^= 0x5a5aa5a5;
+ state_seed[i] *= state_max;
+#endif
+ }
+ return state_seed;
+}
+
/* ------------------------------------------------------------------------ */
/* Function: ipf_state_soft_init */
@@ -328,27 +354,11 @@ ipf_state_soft_init(ipf_main_softc_t *so
bzero((char *)softs->ipf_state_table,
softs->ipf_state_size * sizeof(ipstate_t *));
- KMALLOCS(softs->ipf_state_seed, u_long *,
- softs->ipf_state_size * sizeof(*softs->ipf_state_seed));
+ softs->ipf_state_seed = ipf_state_seed_alloc(softs->ipf_state_size,
+ softs->ipf_state_max);
if (softs->ipf_state_seed == NULL)
return -2;
- for (i = 0; i < softs->ipf_state_size; i++) {
- /*
- * XXX - ipf_state_seed[X] should be a random number of sorts.
- */
-#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
- softs->ipf_state_seed[i] = cprng_fast32();
-#else
- softs->ipf_state_seed[i] = ((u_long)softs->ipf_state_seed + i) *
- softs->ipf_state_size;
- softs->ipf_state_seed[i] ^= 0xa5a55a5a;
- softs->ipf_state_seed[i] *= (u_long)softs->ipf_state_seed;
- softs->ipf_state_seed[i] ^= 0x5a5aa5a5;
- softs->ipf_state_seed[i] *= softs->ipf_state_max;
-#endif
- }
-
KMALLOCS(softs->ipf_state_stats.iss_bucketlen, u_int *,
softs->ipf_state_size * sizeof(u_int));
if (softs->ipf_state_stats.iss_bucketlen == NULL)
@@ -5137,6 +5147,7 @@ ipf_state_rehash(ipf_main_softc_t *softc
{
ipf_state_softc_t *softs = softc->ipf_state_soft;
ipstate_t **newtab, *is;
+ u_long *newseed;
u_int *bucketlens;
u_int maxbucket;
u_int newsize;
@@ -5163,6 +5174,14 @@ ipf_state_rehash(ipf_main_softc_t *softc
return ENOMEM;
}
+ newseed = ipf_state_seed_alloc(newsize, softs->ipf_state_max);
+ if (newseed == NULL) {
+ KFREES(bucketlens, newsize * sizeof(*bucketlens));
+ KFREES(newtab, newsize * sizeof(*newtab));
+ IPFERROR(100037);
+ return ENOMEM;
+ }
+
for (maxbucket = 0, i = newsize; i > 0; i >>= 1)
maxbucket++;
maxbucket *= 2;
@@ -5178,6 +5197,12 @@ ipf_state_rehash(ipf_main_softc_t *softc
}
softs->ipf_state_table = newtab;
+ if (softs->ipf_state_seed != NULL) {
+ KFREES(softs->ipf_state_seed,
+ softs->ipf_state_size * sizeof(*softs->ipf_state_seed));
+ }
+ softs->ipf_state_seed = newseed;
+
if (softs->ipf_state_stats.iss_bucketlen != NULL) {
KFREES(softs->ipf_state_stats.iss_bucketlen,
softs->ipf_state_size * sizeof(u_int));
