Module Name: src
Committed By: martin
Date: Mon May 14 19:22:30 UTC 2018
Modified Files:
src/sys/net/npf [netbsd-8]: npf_alg_icmp.c npf_inet.c npf_sendpkt.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #823):
sys/net/npf/npf_inet.c: revision 1.45-1.47
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.30
sys/net/npf/npf_sendpkt.c: revision 1.19
Fix use-after-free.
The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.
Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
Retrieve the complete IPv4 header right away, and make sure we did retrieve
the IPv6 option header we were iterating on.
Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
If we fail to advance inside TCP/UDP/ICMPv4/ICMPv6, stop pretending L4
is unknown, and error out right away.
This prevents bugs in machinery, if a place looks for L4 in 'npc_proto'
without checking the cache too. I've seen a ~similar problem already.
In addition to checking L4 in the cache, here we also need to check the
protocol. The NPF entry point does not ensure that
ICMPv6 can be set only in IPv6
ICMPv4 can be set only in IPv4
So we could have ICMPv6 in IPv4.
apply some INET6 so this compiles in INET6-less kernels again.
To generate a diff of this commit:
cvs rdiff -u -r1.24.8.1 -r1.24.8.2 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.37.6.1 -r1.37.6.2 src/sys/net/npf/npf_inet.c
cvs rdiff -u -r1.16.8.1 -r1.16.8.2 src/sys/net/npf/npf_sendpkt.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
