Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [netbsd-7] src/sys/net/npf

Module Name:    src
Committed By:   martin
Date:           Mon May 14 16:16:04 UTC 2018

Modified Files:
        src/sys/net/npf [netbsd-7]: npf_alg_icmp.c npf_inet.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1605):

        sys/net/npf/npf_inet.c: revision 1.45
        sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29

Fix use-after-free.

The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
Discussed with rmind@.

Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.

Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.

To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.23.2.1 src/sys/net/npf/npf_alg_icmp.c
cvs rdiff -u -r1.32.2.2 -r1.32.2.3 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Home | Main Index | Thread Index | Old Index