![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / netinet6
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: netbsd-7
Revision 1.136.2.4 / (download) - annotate - [select for diffs], Tue Jan 29 07:57:00 2019 UTC (5 years, 2 months ago) by msaitoh
Branch: netbsd-7
Changes since 1.136.2.3: +4 -4
lines
Diff to previous 1.136.2.3 (colored) to branchpoint 1.136 (colored) next main 1.137 (colored)
Pull up following revision(s) (requested by martin in ticket #1676): sys/net/link_proto.c 1.37 sys/netatalk/ddp_usrreq.c 1.72 sys/netbt/hci_socket.c 1.46 sys/netbt/l2cap_socket.c 1.36 sys/netbt/rfcomm_socket.c 1.38 sys/netbt/sco_socket.c 1.38 sys/netinet/tcp_usrreq.c 1.223 via patch sys/netinet6/raw_ip6.c 1.173 sys/netinet6/udp6_usrreq.c 1.146 sys/netmpls/mpls_proto.c 1.32 sys/netnatm/natm.c patch Fix memory leaks pointed out by Ilja Van Sprundel: all sendoob() functions are expted to free both passed mbuf chains.
Revision 1.136.2.3 / (download) - annotate - [select for diffs], Sun Apr 1 09:12:42 2018 UTC (6 years ago) by martin
Branch: netbsd-7
CVS Tags: netbsd-7-2-RELEASE
Changes since 1.136.2.2: +4 -3
lines
Diff to previous 1.136.2.2 (colored) to branchpoint 1.136 (colored)
Pull up following revision(s) (requested by maxv in ticket #1591): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt.
Revision 1.136.2.2 / (download) - annotate - [select for diffs], Tue Jan 30 18:28:45 2018 UTC (6 years, 2 months ago) by martin
Branch: netbsd-7
Changes since 1.136.2.1: +4 -4
lines
Diff to previous 1.136.2.1 (colored) to branchpoint 1.136 (colored)
Pull up following revision(s) (requested by maxv in ticket #1560):
sys/netinet6/frag6.c: revision 1.65
sys/netinet6/ip6_input.c: revision 1.187
sys/netinet6/ip6_var.h: revision 1.78
sys/netinet6/raw_ip6.c: revision 1.160 (patch)
Fix a buffer overflow in ip6_get_prevhdr. Doing
mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.
Revision 1.136.2.1 / (download) - annotate - [select for diffs], Wed Sep 28 20:24:06 2016 UTC (7 years, 6 months ago) by bouyer
Branch: netbsd-7
CVS Tags: netbsd-7-nhusb-base-20170116,
netbsd-7-1-RELEASE,
netbsd-7-1-RC2,
netbsd-7-1-RC1,
netbsd-7-1-1-RELEASE
Branch point for: netbsd-7-1
Changes since 1.136: +3 -4
lines
Diff to previous 1.136 (colored)
Pull up following revision(s) (requested by roy in ticket #1243): sys/netinet6/raw_ip6.c: revision 1.150 via patch sys/netinet6/in6_pcb.c: revision 1.149 via patch Allow explicit binding to detached addresss. Fixes PR kern/51435.
Revision 1.136 / (download) - annotate - [select for diffs], Sat Aug 9 05:33:01 2014 UTC (9 years, 8 months ago) by rtr
Branch: MAIN
CVS Tags: tls-maxphys-base,
tls-earlyentropy-base,
nick-nhusb-base,
netbsd-7-nhusb-base,
netbsd-7-base,
netbsd-7-0-RELEASE,
netbsd-7-0-RC3,
netbsd-7-0-RC2,
netbsd-7-0-RC1,
netbsd-7-0-2-RELEASE,
netbsd-7-0-1-RELEASE
Branch point for: nick-nhusb,
netbsd-7-nhusb,
netbsd-7-0,
netbsd-7
Changes since 1.135: +31 -22
lines
Diff to previous 1.135 (colored)
split PRU_CONNECT2 & PRU_PURGEIF function out of pr_generic() usrreq
switches and put into separate functions
- always KASSERT(solocked(so)) even if not implemented
(for PRU_CONNECT2 only)
- replace calls to pr_generic() with req = PRU_CONNECT2 with calls to
pr_connect2()
- replace calls to pr_generic() with req = PRU_PURGEIF with calls to
pr_purgeif()
put common code from unp_connect2() (used by unp_connect() into
unp_connect1() and call out to it when needed
patch only briefly reviewed by rmind@