Up to [cvs.NetBSD.org] / src / sys / netinet6
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: netbsd-7-1
Revision 18.104.22.168.6.3 / (download) - annotate - [select for diffs], Tue Sep 17 18:08:13 2019 UTC (4 weeks ago) by martin
Changes since 22.214.171.124.6.2: +10 -2 lines
Diff to previous 126.96.36.199.6.2 (colored) to branchpoint 188.8.131.52 (colored) next main 184.108.40.206 (colored)
Pull up following revision(s) (requested by bouyer in ticket #1708): sys/netinet6/ip6_input.c: revision 1.209 via patch sys/netinet/ip_input.c: revision 1.390 via patch Packet filters can return an mbuf chain with fragmented headers, so m_pullup() it if needed and remove the KASSERT()s.
Revision 220.127.116.11.6.2 / (download) - annotate - [select for diffs], Sun Feb 25 23:17:37 2018 UTC (19 months, 2 weeks ago) by snj
CVS Tags: netbsd-7-1-2-RELEASE
Changes since 18.104.22.168.6.1: +11 -3 lines
Diff to previous 22.214.171.124.6.1 (colored) to branchpoint 126.96.36.199 (colored)
Pull up following revision(s) (requested by maxv in ticket #1572): sys/netinet6/ip6_input.c: 1.188 via patch Kick nested fragments.
Revision 188.8.131.52.6.1 / (download) - annotate - [select for diffs], Tue Jan 30 18:30:31 2018 UTC (20 months, 2 weeks ago) by martin
Changes since 184.108.40.206: +20 -26 lines
Diff to previous 220.127.116.11 (colored)
Pull up following revision(s) (requested by maxv in ticket #1560): sys/netinet6/frag6.c: revision 1.65 sys/netinet6/ip6_input.c: revision 1.187 sys/netinet6/ip6_var.h: revision 1.78 sys/netinet6/raw_ip6.c: revision 1.160 (patch) Fix a buffer overflow in ip6_get_prevhdr. Doing mtod(m, char *) + len is wrong, an option is allowed to be located in another mbuf of the chain. If the offset of an option within the chain is bigger than the length of the first mbuf in that chain, we are reading/writing one byte of packet- controlled data beyond the end of the first mbuf. The length of this first mbuf depends on the layout the network driver chose. In the most difficult case, it will allocate a 2KB cluster, which is bigger than the Ethernet MTU. But there is at least one way of exploiting this case: by sending a special combination of nested IPv6 fragments, the packet can control a good bunch of 'len'. By luck, the memory pool containing clusters does not embed the pool header in front of the items, so it is not straightforward to predict what is located at 'mtod(m, char *) + len'. However, by sending offending fragments in a loop, it is possible to crash the kernel - at some point we will hit important data structures. As far as I can tell, PF protects against this difficult case, because it kicks nested fragments. NPF does not protect against this. IPF I don't know. Then there are the more easy cases, if the MTU is bigger than a cluster, or if the network driver did not allocate a cluster, or perhaps if the fragments are received via a tunnel; I haven't investigated these cases. Change ip6_get_prevhdr so that it returns an offset in the chain, and always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET leaves M_PKTHDR untouched. This place is still fragile.
Revision 18.104.22.168 / (download) - annotate - [select for diffs], Fri Jan 23 09:27:15 2015 UTC (4 years, 8 months ago) by martin
CVS Tags: netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-1-RELEASE, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE
Branch point for: netbsd-7-1, netbsd-7-0
Changes since 1.149: +10 -2 lines
Diff to previous 1.149 (colored)
Pull up following revision(s) (requested by pettai in ticket #441): sys/netinet6/ip6_var.h: revision 1.64 sys/netinet6/in6.h: revision 1.82 sys/netinet6/in6_src.c: revision 1.56 sys/netinet6/mld6.c: revision 1.62 sys/netinet6/ip6_input.c: revision 1.150 sys/netinet6/ip6_output.c: revision 1.161 Add net.inet6.ip6.prefer_tempaddr sysctl knob so that we can prefer IPv6 temporary addresses as the source address. Fixes PR kern/47100 based on a patch by Dieter Roelants.