| Age | Commit message (Collapse) | Author |
|---|
|
The best-guessed limits will be tested by trial.
|
|
Tighter limits and OK by sashan
|
|
OK sashan
|
|
RFC 4291 dropped this requirement from RFC 3513:
o An anycast address must not be used as the source address of an
IPv6 packet.
And from that requirement draft-itojun-ipv6-tcp-to-anycast rightly
concluded that TCP connections must be prevented.
The draft also states:
The proposed method MUST be removed when one of the following events
happens in the future:
o Restriction imposed on IPv6 anycast address is loosened, so that
anycast address can be placed into source address field of the IPv6
header[...]
OK jca
|
|
to the previous behavior: In case of a tie the new implementation
would keep the current best address while the old implementation
replaced the best address.
Since IPv6 addresses are stored in a TAILQ this meant that the rewrite
would use the "oldest" address while the previous behavior was to use
the "newest".
RFC 6724 section 5 has no opinion which one is better and leaves the
tie break up to implementers.
naddy found out the hard way that this breaks his IPv6 connectivity in
case of flash renumbering events when the link on his cpe flaps and a
new prefix is used since we would always pick an old address.
While we could pick the newest address in a tie break this feels too
much like an implementation detail, a solution much more in the spirit
of IPv6 is to pick the address with the highest preferred lifetime (or
valid lifetime in case of another tie).
very patient testing naddy@
|
|
Fixes a bunch of panics reported by syzkaller.
ok florian@
Reported-by: syzbot+02f2e07964a89ab65ea4@syzkaller.appspotmail.com
Reported-by: syzbot+c26b058a499ce38f689f@syzkaller.appspotmail.com
Reported-by: syzbot+62af76d8cb7c09ac017c@syzkaller.appspotmail.com
Reported-by: syzbot+d70144b3ae2ec068e318@syzkaller.appspotmail.com
Reported-by: syzbot+3c87ca9873bfd0492f5c@syzkaller.appspotmail.com
Reported-by: syzbot+323549177062adb80f84@syzkaller.appspotmail.com
Reported-by: syzbot+e745c1c29d960337ce14@syzkaller.appspotmail.com
Reported-by: syzbot+91da988a445013baf925@syzkaller.appspotmail.com
Reported-by: syzbot+747cbcbbed6318542061@syzkaller.appspotmail.com
Reported-by: syzbot+ca5efa23e00130bc8000@syzkaller.appspotmail.com
Reported-by: syzbot+731ab8c9a0342ace4189@syzkaller.appspotmail.com
Reported-by: syzbot+6c80b815a0ff8f09be69@syzkaller.appspotmail.com
Reported-by: syzbot+7939d2c4bc9a5dfa707a@syzkaller.appspotmail.com
Reported-by: syzbot+e893fb0259640a314d06@syzkaller.appspotmail.com
Reported-by: syzbot+b6a3447070ae8ffcb125@syzkaller.appspotmail.com
Reported-by: syzbot+23c0824b688f28c79c1b@syzkaller.appspotmail.com
Reported-by: syzbot+6cc72412d8ddcf87f8a1@syzkaller.appspotmail.com
|
|
Copied over from sys/netinet/raw_ip.c:rip_input() where it appeared with
initial support for multiple routing tables.
This enforces separation between multiple raw sockets in different routing
tables, i.e. one must not see packets from the other if the rtable differs.
Observed with ping6(8)'s "-v" showing all ICMPv6 packets on its raw socket
including those produced by another ping6 with "-V1".
florian reported IPv6 route advertisments in one routing table appearing on
raw sockets in other routing tables as well.
OK claudio florian
|
|
Range violations are now consistently reported as EOPNOTSUPP.
Previously they were mixed with ENOPROTOOPT.
OK kn@
|
|
RFC 6724 section 5.
This simplifies the code considerably while extensive testing shows no
change in behaviour. It is time to volunteer some more testers.
OK denis@ some time ago.
|
|
r1.146 "Enable IPv6 routing domain support" adapted the mtod() line from the
IPV6_PIPEX case which was bogus since introduction in r1.118.
Issue found by florian, who came up with the same partial diff for SO_RTABLE
while working on rdomain aware slaacd(8).
Taken from sys/netinet/ip_output.c which does it correctly.
OK florian millert
|
|
This is the name the other BSDs use for this, there is no reason to
be different, the IPv6 RFCs call these addresses temporary, and some
software in ports wants to use this as well.
Most recently pointed out for firefox by landry.
OK claudio, sthen
|
|
ok claudio@
|
|
time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.
This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).
There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.
There is no performance cost on 64-bit (__LP64__) platforms.
With input from visa@, dlg@, and tedu@.
Several bugs squashed by visa@.
ok kettenis@
|
|
ip6_hopopts(). The value is tested and non-zero values could cause a
packet to be discarded.
Initialize the pointed at variable to 0, tweaking variable names and
associated comments.
COVERITY 1453098
ok deraadt@ mpi@
|
|
i feel like i should add IFT_L3IPVLAN here so mgre(4) can take
advantage of this too.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
Since our last concurrency mistake only ioctl(2) ans sysctl(2) code path
take the reader lock. This is mostly for documentation purpose as long as
the softnet thread is converted back to use a read lock.
dlg@ said that comments should be good enough.
ok sashan@
|
|
An invalid/corrupted hop6 option in rip6_input()/ip6_savecontrol() could
lead m_copydata(9)s' check to trigger a panic.
Fix from maxv@NetBSD where the problem was also reported by syzkaller.
Reported-by: syzbot+3b07b3511b4ceb8bf1e2@syzkaller.appspotmail.com
Reported-by: syzbot+7ee0eb2691d507fcad2e@syzkaller.appspotmail.com
ok sashan@, dlg@, claudio@, deraadt@
|
|
Such routes have a valid link-local entry that should not be overwritten.
The current assert in the timeout routine doesn't give enough information
to know where the bug is, if there is still one.
This should play better with syzkaller.
ok claudio@, visa@ as part of a larger diff
|
|
Such route correspond to a locally configured address and the ND6
subsystem expect its link-local address to be always present.
Fix an issue reported by Julian Brost.
ok claudio@, visa@
|
|
Prevent concurrency in the socket layer which is not ready for that.
Two recent data corruptions in pfsync(4) and the socket layer pointed
out that, at least, tun(4) was incorrectly using NET_RUNLOCK(). Until
we find a way in software to avoid future mistakes and to make sure that
only the softnet thread and some ioctls are safe to use a read version
of the lock, put everything back to the exclusive version.
ok stsp@, visa@
|
|
they are used. Nobody in the wider eco system uses these.
While here reduce temporary address valid lifetime to 2 days as per
draft-ietf-6man-rfc4941bis. This should considerably reduce the amount
of addresses configured on an interface - a common complaint.
Original diff from Fernando Gont (fernando AT gont.com.ar), thanks!
Ports tree scanning by sthen@
|
|
ok mpi@
|
|
made from socket close path. Most device drivers are not MP-safe yet,
and the closing of AF_INET and AF_INET6 sockets is no longer under the
kernel lock.
This fixes a panic seen by jcs@.
OK mpi@
|
|
address is in the routing table and will be identified as any other
local address. There is no reason to handle ::1 source address
special. Better use the generic IPv6 input path. Kame has removed
the special code in their revision 1.189 commit.
OK sashan@
|
|
|
|
IP forwarding is disabled. Issue reported by Daniel Jakots (danj@)
OK bluhm@
|
|
where such packet is bound to. This check is enforced if and only
IP forwarding is disabled.
Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@
OK bluhm@, claudio@, tobhe@
|
|
ok benno@ mortimer@
|
|
dhcpcd from ports uses SIOCGIFAFLAG_IN6 without setting sin6_len.
OK deraadt@ millert@
|
|
addresses. Implement in6_sa2sin6() to validate inet6 address family
and address length. The SIOCGIFDSTADDR_IN6, SIOCGIFNETMASK_IN6,
SIOCGIFAFLAG_IN6, SIOCGIFALIFETIME_IN6, and SIOCDIFADDR_IN6 ioctl(2)
are safe now.
OK visa@
|
|
this follows what's been done for detach and link state hooks, and
makes handling of hooks generally more robust.
address hooks are a bit different to detach/link state hooks in
that there's only a few things that register hooks (carp, pf, vxlan),
but a lot of places to run the hooks (lots of ipv4 and ipv6 address
configuration).
an address hook cookie was in struct pfi_kif, which is part of the
pf abi. rather than break pfctl -sI, this maintains the void * used
for the cookie and uses it to store a task, which is then used as
intended with the new api.
|
|
making RTM_INVALIDATE code path perform same check as RTM_DELETE does.
ok mpi@
|
|
|
|
from a neighbor's address. Sthen@ dug out RFC 4861 4.4 that says that
the source address is "An address assigned to the interface from which
the advertisement is sent." -- which can be from a network that the
receiver does not know about. Indeed my provider sends such a neighbor
advertisment for my default gateway, which breaks my uplink.
Claudio@ added this check for symetry with NetBSD code when he added
the same check to nd6_ns_input(), where it is needed to fix
CVE-2008-2476. See also OpenBSD 4.2 errata 15.
ok claudio@, kn@
|
|
this also brings them in line with the AF_INET equivalents.
ok visa@ bluhm@
|
|
|
|
mrt6_mcast6_del() out of the rtable_walk(). This avoids recursion
to prevent stack overflow. Also it allows freeing the route outside
of the walk. Now mrt6_mcast_del() frees the route only when it is
deleted from the routing table. If that fails, it must not be
freed. After the route is returned by mf6c_find(), it is reference
counted. Then we need a rtfree(), but not in the other case.
Name mrt6_mcast_add() and mrt6_mcast_del() consistently.
Move rt_timer_remove_all() into mrt6_mcast_del().
Reported-by: syzbot+af7d510593d74c825960@syzkaller.appspotmail.com
OK mpi@
|
|
Handle the ECN in the fragment queue.
Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com
fix from FreeBSD; OK claudio@
|
|
for IPv6 link local addresses.
Some hosting and VM providers route customer IPv6 prefixes to link
local addresses derived from ethernet MAC addresses (RFC 2464). This
leads to hard to debug IPv6 connectivity problems and is probably not
worth the effort.
RFC 7721 lists 4 weaknesses:
3.1. Correlation of Activities over Time & 3.2. Location Tracking
These are still possible with RFC 7217 addresses for an adversary
connected to the same layer 2 network (think conference wifi). Since
the link local prefix stays the same (fe80::/64) the link local
addresses do not change between different networks.
An adversary on the same layer 2 network can probably track ethernet
MAC addresses via different means, too.
3.3. Address Scanning & 3.4. Device-Specific Vulnerability Exploitation
These now become possible, however, as noted above a layer 2 adversary
was probably able to do this via different means.
People concerned with these weaknesses are advised to use
ifconfig lladdr random.
OK benno
input & OK kn
|
|
introduced a queue to grab the lock for multiple packets. Now we
have only netlock for both IP and protocol input. So the queue is
not necessary anymore. It just switches CPU and decreases performance.
So remove the inet and inet6 ip queue for local packets.
To get TCP running on loopback, we have to queue once between TCP
input and output of the two sockets. So use the loopback queue in
looutput() unconditionally.
OK visa@
|
|
rtable_walk(9) now passes a routing entry back to the caller when
a non zero value is returned and if it asked for it.
This allows us to call rtdeletemsg()/rtrequest_delete() from the
caller without creating a recursion because of rtflushclone().
Multicast code hasn't been adapted and is still possibly creating
recursions. However multicast route entries aren't cloned so if
a recursion exists it isn't because of rtflushclone().
Fix stack exhaustion triggered by the use of "-msave-args".
Issue reported by Dániel Lévai on bugs@ confirmed by and ok bluhm@.
|
|
set. These mpls routes use the rt_llinfo structure to store the MPLS label
and would confuse the arp and nd6 code.
OK bluhm@ anton@
Reported-by: syzbot+927e93a362f3ae33dd9c@syzkaller.appspotmail.com
|
|
before adding it to the routing table. The rtable code is doing memcmp()
of those rt_dest sockaddrs so it is important that they are stored in a
canonical form. To do this struct domain is extended to include the
sockaddr size for this address family.
OK bluhm@ anton@
Reported-by: syzbot+10fe9cd8d0211c562ead@syzkaller.appspotmail.com
|
|
drivers can set ph_timestamp when packets are received by the
hardware, which should be more accurate and cheaper than getting
the clock when the packet is queued on the socket.
|
|
ok semarie@, visa@
|
|
mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl
command can cause it to be NULL.
ok bluhm@ claudio@
Reported-by: syzbot+bdc489ecb509995a21ed@syzkaller.appspotmail.com
Reported-by: syzbot+156405fdea9f2ab15d40@syzkaller.appspotmail.com
|
|
This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.
Tested by various, ok dlg@, visa@
|
|
checksum field is located. During rip6 input and output make sure
that this field is within the packet. The offset my be -1 to disable
the feature, otherwise it must be non-negative and aligned. Do a
stricter check during setsockopt(2).
from FreeBSD; OK claudio@
|
|
both functions consistent. In in_cksum() panic if len is longer
than mbuf, but in in6_cksum() do not panic if off and len match
exactly to the end of mbuf.
OK claudio@
|
|
rip6_sysctl_rip6stat() copy out rip6counters, not ip6counters.
OK deraadt@ claudio@
|
