[src/trunk]: src/sys/net/npf Modify the logic in npf_reassembly. Don't call n...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/f6d81a1e276b
branches:  trunk
changeset: 833743:f6d81a1e276b
user:      maxv <maxv%NetBSD.org@localhost>
date:      Tue Jul 10 16:49:09 2018 +0000

description:
Modify the logic in npf_reassembly. Don't call nbuf_reset, we don't need
it since we don't read the IPv4 header anymore.

If ip{6}_reass_packet fails, always free 'm', and always clear the nbuf.

We want to avoid the case where

        'm' was reallocated
        the nbuf pointer was not updated accordingly
        the caller tried to use the nbuf pointer

This case doesn't happen right now, but the code is fragile, so strengthen
it.

diffstat:

 sys/net/npf/npf_handler.c |  15 ++++++---------
 1 files changed, 6 insertions(+), 9 deletions(-)

diffs (43 lines):

diff -r 83afa5a78c12 -r f6d81a1e276b sys/net/npf/npf_handler.c
--- a/sys/net/npf/npf_handler.c Tue Jul 10 15:46:58 2018 +0000
+++ b/sys/net/npf/npf_handler.c Tue Jul 10 16:49:09 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_handler.c,v 1.43 2018/07/10 15:46:58 maxv Exp $    */
+/*     $NetBSD: npf_handler.c,v 1.44 2018/07/10 16:49:09 maxv Exp $    */
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.43 2018/07/10 15:46:58 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.44 2018/07/10 16:49:09 maxv Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -79,20 +79,17 @@
        *mff = false;
        m = nbuf_head_mbuf(nbuf);
 
-       /* Reset the mbuf as it may have changed. */
-       nbuf_reset(nbuf);
-
        if (npf_iscached(npc, NPC_IP4)) {
                error = ip_reass_packet(&m);
-               KASSERT(!error || (m != NULL));
        } else if (npf_iscached(npc, NPC_IP6)) {
                error = ip6_reass_packet(&m, npc->npc_hlen);
-               if (error && m == NULL) {
-                       memset(nbuf, 0, sizeof(nbuf_t));
-               }
        }
+
        if (error) {
+               /* Reass failed. Free the mbuf, clear the nbuf. */
                npf_stats_inc(npf, NPF_STAT_REASSFAIL);
+               m_freem(m);
+               memset(nbuf, 0, sizeof(nbuf_t));
                return error;
        }
        if (m == NULL) {