The NetBSD Project

CVS log for src/sys/netinet6/raw_ip6.c

[BACK] Up to [cvs.NetBSD.org] / src / sys / netinet6

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: netbsd-8


Revision 1.157.2.6 / (download) - annotate - [select for diffs], Thu Mar 23 12:08:39 2023 UTC (12 months ago) by martin
Branch: netbsd-8
Changes since 1.157.2.5: +13 -4 lines
Diff to previous 1.157.2.5 (colored) to branchpoint 1.157 (colored) next main 1.158 (colored)

Pull up following revision(s) (requested by ozaki-r in ticket #1808):

	sys/netinet6/raw_ip6.c: revision 1.183 (via patch)
	sys/netinet6/ip6_output.c: revision 1.233

in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM)
Same as OpenBSD.

in6: make sure a user-specified checksum field is within a packet
From OpenBSD

Revision 1.157.2.5 / (download) - annotate - [select for diffs], Tue Jan 29 07:04:09 2019 UTC (5 years, 1 month ago) by msaitoh
Branch: netbsd-8
CVS Tags: netbsd-8-2-RELEASE, netbsd-8-1-RELEASE, netbsd-8-1-RC1
Changes since 1.157.2.4: +4 -4 lines
Diff to previous 1.157.2.4 (colored) to branchpoint 1.157 (colored)

Pull up following revision(s) (requested by martin in ticket #1175):
sys/net/link_proto.c				1.37
sys/netatalk/ddp_usrreq.c			1.72
sys/netbt/hci_socket.c				1.46
sys/netbt/l2cap_socket.c			1.36
sys/netbt/rfcomm_socket.c			1.38
sys/netbt/sco_socket.c				1.38
sys/netinet/sctp_usrreq.c			1.14
sys/netinet/tcp_usrreq.c			1.223
sys/netinet6/raw_ip6.c				1.173
sys/netinet6/sctp6_usrreq.c			1.17
sys/netinet6/udp6_usrreq.c			1.146
sys/netmpls/mpls_proto.c			1.32
sys/netnatm/natm.c				patch

	Fix memory leaks pointed out by Ilja Van Sprundel: all
	sendoob() functions are expted to free both passed
	mbuf chains.

Revision 1.157.2.4 / (download) - annotate - [select for diffs], Mon Apr 9 13:34:10 2018 UTC (5 years, 11 months ago) by bouyer
Branch: netbsd-8
CVS Tags: netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1
Changes since 1.157.2.3: +4 -3 lines
Diff to previous 1.157.2.3 (colored) to branchpoint 1.157 (colored)

Pull up following revision(s) (requested by roy in ticket #724):
	tests/net/icmp/t_ping.c: revision 1.19
	sys/netinet6/raw_ip6.c: revision 1.166
	sys/netinet6/ip6_input.c: revision 1.195
	sys/net/raw_usrreq.c: revision 1.59
	sys/sys/socketvar.h: revision 1.151
	sys/kern/uipc_socket2.c: revision 1.128
	tests/lib/libc/sys/t_recvmmsg.c: revision 1.2
	lib/libc/sys/recv.2: revision 1.38
	sys/net/rtsock.c: revision 1.239
	sys/netinet/udp_usrreq.c: revision 1.246
	sys/netinet6/icmp6.c: revision 1.224
	tests/net/icmp/t_ping.c: revision 1.20
	sys/netipsec/keysock.c: revision 1.63
	sys/netinet/raw_ip.c: revision 1.172
	sys/kern/uipc_socket.c: revision 1.260
	tests/net/icmp/t_ping.c: revision 1.22
	sys/kern/uipc_socket.c: revision 1.261
	tests/net/icmp/t_ping.c: revision 1.23
	sys/netinet/ip_mroute.c: revision 1.155
	sbin/route/route.c: revision 1.159
	sys/netinet6/ip6_mroute.c: revision 1.123
	sys/netatalk/ddp_input.c: revision 1.31
	sys/netcan/can.c: revision 1.3
	sys/kern/uipc_usrreq.c: revision 1.184
	sys/netinet6/udp6_usrreq.c: revision 1.138
	tests/net/icmp/t_ping.c: revision 1.18
socket: report receive buffer overflows
Add soroverflow() which increments the overflow counter, sets so_error
to ENOBUFS and wakes the receive socket up.
Replace all code that manually increments this counter with soroverflow().
Add soroverflow() to raw_input().
This allows userland to detect route(4) overflows so it can re-sync
with the current state.
socket: clear error even when peeking
The error has already been reported and it's pointless requiring another
recv(2) call just to clear it.
socket: remove now incorrect comment that so_error is only udp
As it can be affected by route(4) sockets which are raw.
rtsock: log dropped messages that we cannot report to userland
Handle ENOBUFS when receiving messages.
Don't send messages if the receiver has died.
Sprinkle more soroverflow().
Handle ENOBUFS in recv
Handle ENOBUFS in sendto
Note value received. Harden another sendto for ENOBUFS.
Handle the routing socket overflowing gracefully.
Allow a valid sendto .... duh
Handle errors better.
Fix test for checking we sent all the data we asked to.

Revision 1.157.2.3 / (download) - annotate - [select for diffs], Fri Mar 30 11:42:59 2018 UTC (6 years ago) by martin
Branch: netbsd-8
Changes since 1.157.2.2: +4 -3 lines
Diff to previous 1.157.2.2 (colored) to branchpoint 1.157 (colored)

Pull up following revision(s) (requested by maxv in ticket #666):

	sys/netinet6/raw_ip6.c: revision 1.161

Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so
it is wrong to read ip6->ip6_nxt.

Revision 1.157.2.2 / (download) - annotate - [select for diffs], Tue Jan 30 18:21:09 2018 UTC (6 years, 1 month ago) by martin
Branch: netbsd-8
Changes since 1.157.2.1: +4 -4 lines
Diff to previous 1.157.2.1 (colored) to branchpoint 1.157 (colored)

Pull up following revision(s) (requested by maxv in ticket #527):
	sys/netinet6/frag6.c: revision 1.65
	sys/netinet6/ip6_input.c: revision 1.187
	sys/netinet6/ip6_var.h: revision 1.78
	sys/netinet6/raw_ip6.c: revision 1.160
Fix a buffer overflow in ip6_get_prevhdr. Doing
        mtod(m, char *) + len
is wrong, an option is allowed to be located in another mbuf of the chain.
If the offset of an option within the chain is bigger than the length of
the first mbuf in that chain, we are reading/writing one byte of packet-
controlled data beyond the end of the first mbuf.
The length of this first mbuf depends on the layout the network driver
chose. In the most difficult case, it will allocate a 2KB cluster, which
is bigger than the Ethernet MTU.
But there is at least one way of exploiting this case: by sending a
special combination of nested IPv6 fragments, the packet can control a
good bunch of 'len'. By luck, the memory pool containing clusters does not
embed the pool header in front of the items, so it is not straightforward
to predict what is located at 'mtod(m, char *) + len'.
However, by sending offending fragments in a loop, it is possible to
crash the kernel - at some point we will hit important data structures.
As far as I can tell, PF protects against this difficult case, because
it kicks nested fragments. NPF does not protect against this. IPF I don't
know.
Then there are the more easy cases, if the MTU is bigger than a cluster,
or if the network driver did not allocate a cluster, or perhaps if the
fragments are received via a tunnel; I haven't investigated these cases.
Change ip6_get_prevhdr so that it returns an offset in the chain, and
always use IP6_EXTHDR_GET to get a writable pointer. IP6_EXTHDR_GET
leaves M_PKTHDR untouched.
This place is still fragile.

Revision 1.157.2.1 / (download) - annotate - [select for diffs], Wed Nov 8 22:24:55 2017 UTC (6 years, 4 months ago) by snj
Branch: netbsd-8
Changes since 1.157: +4 -3 lines
Diff to previous 1.157 (colored)

Pull up following revision(s) (requested by ozaki-r in ticket #350):
	sys/netinet6/icmp6.c: revision 1.214
	sys/netinet6/raw_ip6.c: revision 1.158
Fix usages of ipsec_used
If IPsec isn't used, we must go back to the normal path.
PR kern/52659

Revision 1.157 / (download) - annotate - [select for diffs], Thu Jun 1 02:45:14 2017 UTC (6 years, 9 months ago) by chs
Branch: MAIN
CVS Tags: perseant-stdc-iso10646-base, perseant-stdc-iso10646, nick-nhusb-base-20170825, netbsd-8-base, matt-nb8-mediatek-base, matt-nb8-mediatek
Branch point for: netbsd-8
Changes since 1.156: +2 -6 lines
Diff to previous 1.156 (colored)

remove checks for failure after memory allocation calls that cannot fail:

  kmem_alloc() with KM_SLEEP
  kmem_zalloc() with KM_SLEEP
  percpu_alloc()
  pserialize_create()
  psref_class_create()

all of these paths include an assertion that the allocation has not failed,
so callers should not assert that again.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>