[src/trunk]: src/sys/net/npf Modify the logic in npf_reassembly. Don't call n...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/90cb1a0bacba
branches:  trunk
changeset: 323976:90cb1a0bacba
user:      maxv <maxv%NetBSD.org@localhost>
date:      Tue Jul 10 16:49:09 2018 +0000

description:
Modify the logic in npf_reassembly. Don't call nbuf_reset, we don't need
it since we don't read the IPv4 header anymore.

If ip{6}_reass_packet fails, always free 'm', and always clear the nbuf.

We want to avoid the case where

        'm' was reallocated
        the nbuf pointer was not updated accordingly
        the caller tried to use the nbuf pointer

This case doesn't happen right now, but the code is fragile, so strengthen
it.

diffstat:

 sys/net/npf/npf_handler.c |  15 ++++++---------
 1 files changed, 6 insertions(+), 9 deletions(-)

diffs (43 lines):

diff -r 865384fac56c -r 90cb1a0bacba sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Tue Jul 10 15:46:58 2018 +0000
+++ b/sys/net/npf/npf_handler.c Tue Jul 10 16:49:09 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_handler.c,v 1.43 2018/07/10 15:46:58 maxv Exp $    */
+/*     $NetBSD: npf_handler.c,v 1.44 2018/07/10 16:49:09 maxv Exp $    */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.43 2018/07/10 15:46:58 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.44 2018/07/10 16:49:09 maxv Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -79,20 +79,17 @@
        *mff = false;
        m = nbuf_head_mbuf(nbuf);
 
-       /* Reset the mbuf as it may have changed. */
-       nbuf_reset(nbuf);
-
        if (npf_iscached(npc, NPC_IP4)) {
                error = ip_reass_packet(&m);
-               KASSERT(!error || (m != NULL));
        } else if (npf_iscached(npc, NPC_IP6)) {
                error = ip6_reass_packet(&m, npc->npc_hlen);
-               if (error && m == NULL) {
-                       memset(nbuf, 0, sizeof(nbuf_t));
-               }
        }
+
        if (error) {
+               /* Reass failed. Free the mbuf, clear the nbuf. */
                npf_stats_inc(npf, NPF_STAT_REASSFAIL);
+               m_freem(m);
+               memset(nbuf, 0, sizeof(nbuf_t));
                return error;
        }
        if (m == NULL) {