| Age | Commit message (Collapse) | Author |
|---|
|
|
|
tested by Hrvoje
OK mpi@, OK bluhm@
|
|
ok jmatthew@
|
|
no entry are missed.
While here do not re-ordered or send messages for route entries that are
already in the expected state.
Make rttest30 pass.
ok gerhard@
|
|
Not all of them need the NET_LOCK().
ok bluhm@
|
|
all the callers to call m_freem(9).
Support from deraadt@ and tedu@, ok visa@, bluhm@
|
|
Problem reported and fix tested by Hrvoje Popovski.
ok bluhm@, visa@
|
|
When hfsc_deq_begin can't obtain an mbuf from the queue which can
happen with fq_codel, the hfsc_deq_commit isn't called and HFSC
doesn't get to update the active queue list of the parent class.
To successfully purge and destroy such class, we need to make
sure to run the service curve update routine even if we haven't
dequeued anything so that the parent class doesn't accumulate
stale child classes on its active list.
Reported by Atanas Vladimirov, OK visa
|
|
Since NET_LOCK no longer protects the ioctl path from timeouts
running while ifq configuration is happening, the hfsc_deferred
timeout needs to make sure that the underlying HFSC object is
locked before attempting to reference it. This prevents the race
happening after we release the ifq mutex in ifq_attach but before
hfsc_free disables the timeout.
The second race is possible after hfsc_alloc but before the ifq
mutex gets locked in ifq_attach and a new set of ifq operations
is installed. If hfsc_deferred fires in between, it wouldn't be
able to reschedule itself and will no longer be executed. To
prevent this, the timeout can be established when packets are
enqueued instead of the moment the queue is created.
With input and OK visa
|
|
When short packets are sent to the bridge with IPsec enabled,
an incorrect error path can be taken which leads to a lookup
of an SPD entry using an uninitialized SPI. Most of the time
this will fail, however there's a chance that an existing SPD
entry corresponds to the provided SPI which leads to use of
another uninitialized variable used to offset the IP or IPv6
header in order to get to the security protocol header.
ESP performs packet length checks and will fail when such
packets will reach it, but AH and IPComp don't have similar
checks and are affected the most.
CID 1452946, 1452957; Severity: Major
OK millert, visa, bluhm
|
|
Don't trust the value of pfra_type blindly since it's coming from
userland and sanitize it in pfr_validate_addr that is called after
every copyin and also perform the check in pfr_create_kentry before
we attempt to use the value not after.
Coverity CID 1452909, 1453097, 1453384; Severity: Minor
It can be triggered only by root by default or anyone with write
access to /dev/pf if such access is provided.
ok visa, bcook, sashan, jsg
|
|
sppp_update_ip6_addr() became the last user of n6_are_prefix_equal().
Since it compares /128 prefixes it doesn't need all the bells and
whistles and can be converted to a memcmp. Remove the now unused
n6_are_prefix_equal().
OK bluhm, mpi
|
|
This was a bit confusing for the scanner and when reviewing the code.
Coverity CIDs 1453053 1453106; Severity: Insignificant
ok mpi@
|
|
|
|
increment in pf_create_state(), decrement in pf_set_protostate().
input & ok bluhm
|
|
sppp_output has the following comment:
"Don't choke with an ENETDOWN early. It's possible that we just
started dialing out, so don't drop the packet immediately. If we
notice that we run out of buffer space below, we will however remember
that we are not ready to carry IPv6 packets, and return ENETDOWN, as
opposed to ENOBUFS."
A later revision of the code just returned ENOBUFS anyway, ignoring
the rv variable that might have ENETDOWN instead, turning rv into an
unused variable.
Coverity CID 1299246; Severity: Minor
OK sthen@
|
|
returning 0 (success) on error instead of an error number. The caller
doesn't evaluate the return value, so it is good enough to return
ENOBUFS (non-0) on error and to remove "ret" in trunk_cast_start().
Coverity CID 1453105; Severity: Minor
OK mpi@
|
|
like ESTABLISHED for tcp here), don't do it directly, but go through a newly
introduced pf_set_protostate()
ok bluhm benno
|
|
Tested by Hrvoje Popovski.
|
|
Tested by Hrvoje Popovski, ok bluhm@
|
|
changed with known constants (RFC3079). Current code uses a switch case without
breaks which implicitly makes the code correct, but to improve readibility the
first octect should have the constant assigned also in the first case, without
relying on a fallthrough to the second, and the break statement should be
called on boths cases.
This was a false positive found in Coverity CID 1453390, but changed due to
to readibility as explained above.
After discussion with millert@ and guenther@
|
|
Pointed out by tom@
|
|
pointless "ip = NULL; if (ip) ..." sequence.
Coverity CID 1453286; Severity: Minor
OK sthen@ tom@
|
|
Another case of the "C indexes start at 0" bug where ">" must be ">=":
if (i >= nitems(foo))
return (NULL);
else
return (foo[i].handler);
Coverity CID 1453340; Severity: Major
OK millert@ goda@
|
|
swofp_flow_entry_instruction_free is used to "reset" the tables. It
called free on each table but didn't set them to NULL, causing
potential double-frees in swofp_flow_entry_put_instructions().
Instead of complicating the code and adding a X = NULL for each table,
restructure it by introducing a generic function to free tables as
they're all derived from struct ofp_instruction.
Reported by Coverity as various "Read from pointer after free" errors:
Coverity CIDs 1452955 1453345 1452858 1453031 1453179 1453216 1453093
OK millert@ goda@
|
|
Found by Coverity because vlan_vid was assigned twice.
Coverity CID 1453293; Severity: Minor
OK millert@ goda@
|
|
Coverity CID 1453281; Severity: Minor
OK millert@ goda@
|
|
final if statement, use it once after the if statement.
Avoids duplicated and structurally dead code.
Coverity CID 1452943; Severity: Insignificant
OK millert@ goda@
|
|
This could be triggered by an OpenFlow packet with the multipart
message type of 14 ... because C array indexes start at 0.
Coverity CID 1452917; Severity: Major
OK millert@ goda@
|
|
This could be triggered by an OpenFlow packet with the message type of 30
... because C array indexes start at 0.
Coverity CID 1453219; Severity: Major
OK millert@ goda@
|
|
Always call getmicrouptime(&tv) to avoid an "Uninitialized scalar variable".
Coverity CID 1453266; Severity: Insignificant
OK deraadt@
|
|
ok phessler@, visa@, bluhm@
|
|
vxlan interface into accepting packets for the wrong destination (if
the sockaddr_in6 checks somehow match on sockaddr_in addresses).
Coverity CID 1452902; Severity: Moderate
OK mikeb@
|
|
OK mpi@ visa@
|
|
in bfd_listener().
OK phessler@
|
|
In particular setting an expiration timer on a route entry which would
confuse L2 state machines.
ok bluhm@
|
|
thread to a task running on the `softnettq`.
Tested and inputs from Hrvoje Popovski.
ok visa@, sashan@
|
|
flag. Notify userland about this via the route socket, otherwise
slaacd gets confused about the state the interface is in.
OK on a previous version sthen
input & OK bluhm
|
|
|
|
ok bluhm@, florian@
|
|
ok mpi
|
|
I introduced this bug in 2015 but the splsoftnet()/splx() dance in the
upper layer masked it. Pseudo drivers generally don't need any splnet()
protection.
Found by Mark Patruck and Andrei-Marius Radu since the NET_LOCK() no longer
raise any IPL.
Strangely jsg@ confirmed that cppcheck nor coccinelle found the missing splx().
ok kettenis@, sthen@, deraadt@
|
|
OK mpi
|
|
Prompted by a bugreport by naddy that IPv6 autoconfiguration is broken
in the installer.
OK mpi, "go for it" deraadt
|
|
rtdeletemsg().
ok bluhm@
|
|
Reduce differences with rtm_miss().
ok claudio@, bluhm@
|
|
is correctly NUL terminated.
Reported by Ilja Van Sprundel
With and OK bluhm@
|
|
wrapped around. Fix them to cast the proper width of integer when
comparison. found goda@
|
|
Suggested by and OK bluhm@ OK mpi@
|
|
|
