Author: kp
Date: Mon Sep  3 08:57:09 2018
New Revision: 338442
URL: https://svnweb.freebsd.org/changeset/base/338442

Log:
  MFC r338406:
  
  frag6: Fix fragment reassembly
  
  r337776 started hashing the fragments into buckets for faster lookup.
  
  The hashkey is larger than intended. This results in random stack data being
  included in the hashed data, which in turn means that fragments of the same
  packet might end up in different buckets, causing the reassembly to fail.
  
  Set the correct size for hashkey.
  
  PR:           231045

Modified:
  stable/11/sys/netinet6/frag6.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet6/frag6.c
==============================================================================
--- stable/11/sys/netinet6/frag6.c      Mon Sep  3 06:57:25 2018        
(r338441)
+++ stable/11/sys/netinet6/frag6.c      Mon Sep  3 08:57:09 2018        
(r338442)
@@ -216,7 +216,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
        int offset = *offp, nxt, i, next;
        int first_frag = 0;
        int fragoff, frgpartlen;        /* must be larger than u_int16_t */
-       uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp;
+       uint32_t hashkey[(sizeof(struct in6_addr) * 2 +
+                   sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)];
+       uint32_t hash, *hashkeyp;
        struct ifnet *dstifp;
        u_int8_t ecn, ecn0;
 #ifdef RSS
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to