diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-05-04 17:58:47 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-05-04 17:58:47 +0000 |
| commit | 7f974b78cee07c7d1db67bc826cf636862318b39 (patch) | |
| tree | f49ea68d299248cdd9a006b31d8780017ab37014 | |
| parent | cc09ef627d2e8a7015f53b5c91a6ef7cf0f5cfe2 (diff) | |
If m is not a continuous mbuf cluster, m_pullup() in pr_input may
change the pointer. Then *mp keeps the invalid pointer and it might
be used. Fix the potential use after free and also reset *mp in
other places to have less dangling pointers to freed mbufs.
OK mpi@ mikeb@
| -rw-r--r-- | sys/net/if_etherip.c | 10 | ||||
| -rw-r--r-- | sys/netinet/igmp.c | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_carp.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_gre.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_icmp.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ipip.c | 6 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 4 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 6 | ||||
| -rw-r--r-- | sys/netinet6/icmp6.c | 6 |
9 files changed, 27 insertions, 27 deletions
diff --git a/sys/net/if_etherip.c b/sys/net/if_etherip.c index 7abc0af80b8..5978cacb742 100644 --- a/sys/net/if_etherip.c +++ b/sys/net/if_etherip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_etherip.c,v 1.17 2017/04/14 20:46:31 bluhm Exp $ */ +/* $OpenBSD: if_etherip.c,v 1.18 2017/05/04 17:58:46 bluhm Exp $ */ /* * Copyright (c) 2015 Kazuya GODA <goda@openbsd.org> * @@ -462,7 +462,7 @@ ip_etherip_input(struct mbuf **mp, int *offp, int proto, int af) } m_adj(m, *offp); - m = m_pullup(m, sizeof(struct etherip_header)); + m = *mp = m_pullup(m, sizeof(struct etherip_header)); if (m == NULL) { etheripstat.etherips_adrops++; return IPPROTO_DONE; @@ -480,7 +480,7 @@ ip_etherip_input(struct mbuf **mp, int *offp, int proto, int af) sizeof(struct etherip_header)); m_adj(m, sizeof(struct etherip_header)); - m = m_pullup(m, sizeof(struct ether_header)); + m = *mp = m_pullup(m, sizeof(struct ether_header)); if (m == NULL) { etheripstat.etherips_adrops++; return IPPROTO_DONE; @@ -622,7 +622,7 @@ ip6_etherip_input(struct mbuf **mp, int *offp, int proto, int af) } m_adj(m, *offp); - m = m_pullup(m, sizeof(struct etherip_header)); + m = *mp = m_pullup(m, sizeof(struct etherip_header)); if (m == NULL) { etheripstat.etherips_adrops++; return IPPROTO_DONE; @@ -639,7 +639,7 @@ ip6_etherip_input(struct mbuf **mp, int *offp, int proto, int af) sizeof(struct etherip_header)); m_adj(m, sizeof(struct etherip_header)); - m = m_pullup(m, sizeof(struct ether_header)); + m = *mp = m_pullup(m, sizeof(struct ether_header)); if (m == NULL) { etheripstat.etherips_adrops++; return IPPROTO_DONE; diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c index 50950876dda..12b9561b0ec 100644 --- a/sys/netinet/igmp.c +++ b/sys/netinet/igmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: igmp.c,v 1.66 2017/04/14 20:46:31 bluhm Exp $ */ +/* $OpenBSD: igmp.c,v 1.67 2017/05/04 17:58:46 bluhm Exp $ */ /* $NetBSD: igmp.c,v 1.15 1996/02/13 23:41:25 christos Exp $ */ /* @@ -253,7 +253,7 @@ igmp_input_if(struct ifnet *ifp, struct mbuf **mp, int *offp, int proto, int af) } minlen = iphlen + IGMP_MINLEN; if ((m->m_flags & M_EXT || m->m_len < minlen) && - (m = m_pullup(m, minlen)) == NULL) { + (m = *mp = m_pullup(m, minlen)) == NULL) { igmpstat_inc(igps_rcv_tooshort); return IPPROTO_DONE; } diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c index c5d53105268..3c2f9914212 100644 --- a/sys/netinet/ip_carp.c +++ b/sys/netinet/ip_carp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_carp.c,v 1.308 2017/04/14 20:46:31 bluhm Exp $ */ +/* $OpenBSD: ip_carp.c,v 1.309 2017/05/04 17:58:46 bluhm Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff. All rights reserved. @@ -487,7 +487,7 @@ carp_proto_input_if(struct ifnet *ifp, struct mbuf **mp, int *offp, int proto) return IPPROTO_DONE; } - if ((m = m_pullup(m, len)) == NULL) { + if ((m = *mp = m_pullup(m, len)) == NULL) { carpstat_inc(carps_hdrops); return IPPROTO_DONE; } @@ -562,7 +562,7 @@ carp6_proto_input_if(struct ifnet *ifp, struct mbuf **mp, int *offp, int proto) /* verify that we have a complete carp packet */ len = m->m_len; - if ((m = m_pullup(m, *offp + sizeof(*ch))) == NULL) { + if ((m = *mp = m_pullup(m, *offp + sizeof(*ch))) == NULL) { carpstat_inc(carps_badlen); CARP_LOG(LOG_INFO, sc, ("packet size %u too small", len)); return IPPROTO_DONE; diff --git a/sys/netinet/ip_gre.c b/sys/netinet/ip_gre.c index 9b7ce509b50..27573c63b07 100644 --- a/sys/netinet/ip_gre.c +++ b/sys/netinet/ip_gre.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_gre.c,v 1.63 2017/04/14 20:46:31 bluhm Exp $ */ +/* $OpenBSD: ip_gre.c,v 1.64 2017/05/04 17:58:46 bluhm Exp $ */ /* $NetBSD: ip_gre.c,v 1.9 1999/10/25 19:18:11 drochner Exp $ */ /* @@ -280,7 +280,7 @@ gre_mobile_input(struct mbuf **mp, int *offp, int proto, int af) } if (m->m_len < sizeof(*mip)) { - m = m_pullup(m, sizeof(*mip)); + m = *mp = m_pullup(m, sizeof(*mip)); if (m == NULL) return IPPROTO_DONE; } @@ -300,7 +300,7 @@ gre_mobile_input(struct mbuf **mp, int *offp, int proto, int af) msiz = MOB_H_SIZ_S; if (m->m_len < (ip->ip_hl << 2) + msiz) { - m = m_pullup(m, (ip->ip_hl << 2) + msiz); + m = *mp = m_pullup(m, (ip->ip_hl << 2) + msiz); if (m == NULL) return IPPROTO_DONE; ip = mtod(m, struct ip *); diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 7712058a152..051c9361901 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.166 2017/04/19 15:21:54 bluhm Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.167 2017/05/04 17:58:46 bluhm Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -354,7 +354,7 @@ icmp_input_if(struct ifnet *ifp, struct mbuf **mp, int *offp, int proto, int af) goto freeit; } i = hlen + min(icmplen, ICMP_ADVLENMIN); - if (m->m_len < i && (m = m_pullup(m, i)) == NULL) { + if (m->m_len < i && (m = *mp = m_pullup(m, i)) == NULL) { icmpstat_inc(icps_tooshort); return IPPROTO_DONE; } @@ -476,7 +476,7 @@ icmp_input_if(struct ifnet *ifp, struct mbuf **mp, int *offp, int proto, int af) icmpstat_inc(icps_badlen); goto freeit; } else { - if ((m = m_pullup(m, (ip->ip_hl << 2) + + if ((m = *mp = m_pullup(m, (ip->ip_hl << 2) + ICMP_V6ADVLEN(icp))) == NULL) { icmpstat_inc(icps_tooshort); return IPPROTO_DONE; diff --git a/sys/netinet/ip_ipip.c b/sys/netinet/ip_ipip.c index 8b4b0c54609..c809bcc3b80 100644 --- a/sys/netinet/ip_ipip.c +++ b/sys/netinet/ip_ipip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipip.c,v 1.75 2017/05/04 15:00:24 bluhm Exp $ */ +/* $OpenBSD: ip_ipip.c,v 1.76 2017/05/04 17:58:46 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -156,7 +156,7 @@ ipip_input(struct mbuf **mp, int *offp, struct ifnet *gifp, int proto) /* Bring the IP header in the first mbuf, if not there already */ if (m->m_len < hlen) { - if ((m = m_pullup(m, hlen)) == NULL) { + if ((m = *mp = m_pullup(m, hlen)) == NULL) { DPRINTF(("ipip_input(): m_pullup() failed\n")); ipipstat_inc(ipips_hdrops); return IPPROTO_DONE; @@ -210,7 +210,7 @@ ipip_input(struct mbuf **mp, int *offp, struct ifnet *gifp, int proto) * Bring the inner header into the first mbuf, if not there already. */ if (m->m_len < hlen) { - if ((m = m_pullup(m, hlen)) == NULL) { + if ((m = *mp = m_pullup(m, hlen)) == NULL) { DPRINTF(("ipip_input(): m_pullup() failed\n")); ipipstat_inc(ipips_hdrops); return IPPROTO_DONE; diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 70887a58be0..38b2f7c6748 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.342 2017/05/03 19:58:12 millert Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.343 2017/05/04 17:58:46 bluhm Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -702,7 +702,7 @@ findpcb: * in use for the reply, * do not free it. */ - m = NULL; + m = *mp = NULL; goto drop; } else { /* diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 75e84b445e5..e486dcbaec2 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.235 2017/04/17 20:48:21 bluhm Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.236 2017/05/04 17:58:46 bluhm Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -295,7 +295,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af) * to userland */ if (spi != 0) { - if ((m = m_pullup(m, skip)) == NULL) { + if ((m = *mp = m_pullup(m, skip)) == NULL) { udpstat_inc(udps_hdrops); return IPPROTO_DONE; } @@ -648,7 +648,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af) struct pipex_session *session; int off = iphlen + sizeof(struct udphdr); if ((session = pipex_l2tp_lookup_session(m, off)) != NULL) { - if ((m = pipex_l2tp_input(m, off, session, + if ((m = *mp = pipex_l2tp_input(m, off, session, ipsecflowinfo)) == NULL) { m_freem(opts); /* the packet is handled by PIPEX */ diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 2464db14bf8..e9cb269a197 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.207 2017/04/19 15:44:45 bluhm Exp $ */ +/* $OpenBSD: icmp6.c,v 1.208 2017/05/04 17:58:46 bluhm Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -533,7 +533,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto, int af) if ((n = m_copym(m, 0, M_COPYALL, M_DONTWAIT)) == NULL) { /* Give up local */ n = m; - m = NULL; + m = *mp = NULL; goto deliverecho; } /* @@ -567,7 +567,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto, int af) /* Give up local */ m_freem(n0); n = m; - m = NULL; + m = *mp = NULL; goto deliverecho; } M_MOVE_PKTHDR(n, n0); |