| Age | Commit message (Collapse) | Author |
|---|
|
Since our last concurrency mistake only ioctl(2) ans sysctl(2) code path
take the reader lock. This is mostly for documentation purpose as long as
the softnet thread is converted back to use a read lock.
dlg@ said that comments should be good enough.
ok sashan@
|
|
An invalid/corrupted hop6 option in rip6_input()/ip6_savecontrol() could
lead m_copydata(9)s' check to trigger a panic.
Fix from maxv@NetBSD where the problem was also reported by syzkaller.
Reported-by: syzbot+3b07b3511b4ceb8bf1e2@syzkaller.appspotmail.com
Reported-by: syzbot+7ee0eb2691d507fcad2e@syzkaller.appspotmail.com
ok sashan@, dlg@, claudio@, deraadt@
|
|
Such routes have a valid link-local entry that should not be overwritten.
The current assert in the timeout routine doesn't give enough information
to know where the bug is, if there is still one.
This should play better with syzkaller.
ok claudio@, visa@ as part of a larger diff
|
|
Such route correspond to a locally configured address and the ND6
subsystem expect its link-local address to be always present.
Fix an issue reported by Julian Brost.
ok claudio@, visa@
|
|
Prevent concurrency in the socket layer which is not ready for that.
Two recent data corruptions in pfsync(4) and the socket layer pointed
out that, at least, tun(4) was incorrectly using NET_RUNLOCK(). Until
we find a way in software to avoid future mistakes and to make sure that
only the softnet thread and some ioctls are safe to use a read version
of the lock, put everything back to the exclusive version.
ok stsp@, visa@
|
|
they are used. Nobody in the wider eco system uses these.
While here reduce temporary address valid lifetime to 2 days as per
draft-ietf-6man-rfc4941bis. This should considerably reduce the amount
of addresses configured on an interface - a common complaint.
Original diff from Fernando Gont (fernando AT gont.com.ar), thanks!
Ports tree scanning by sthen@
|
|
ok mpi@
|
|
made from socket close path. Most device drivers are not MP-safe yet,
and the closing of AF_INET and AF_INET6 sockets is no longer under the
kernel lock.
This fixes a panic seen by jcs@.
OK mpi@
|
|
address is in the routing table and will be identified as any other
local address. There is no reason to handle ::1 source address
special. Better use the generic IPv6 input path. Kame has removed
the special code in their revision 1.189 commit.
OK sashan@
|
|
|
|
IP forwarding is disabled. Issue reported by Daniel Jakots (danj@)
OK bluhm@
|
|
where such packet is bound to. This check is enforced if and only
IP forwarding is disabled.
Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@
OK bluhm@, claudio@, tobhe@
|
|
ok benno@ mortimer@
|
|
dhcpcd from ports uses SIOCGIFAFLAG_IN6 without setting sin6_len.
OK deraadt@ millert@
|
|
addresses. Implement in6_sa2sin6() to validate inet6 address family
and address length. The SIOCGIFDSTADDR_IN6, SIOCGIFNETMASK_IN6,
SIOCGIFAFLAG_IN6, SIOCGIFALIFETIME_IN6, and SIOCDIFADDR_IN6 ioctl(2)
are safe now.
OK visa@
|
|
this follows what's been done for detach and link state hooks, and
makes handling of hooks generally more robust.
address hooks are a bit different to detach/link state hooks in
that there's only a few things that register hooks (carp, pf, vxlan),
but a lot of places to run the hooks (lots of ipv4 and ipv6 address
configuration).
an address hook cookie was in struct pfi_kif, which is part of the
pf abi. rather than break pfctl -sI, this maintains the void * used
for the cookie and uses it to store a task, which is then used as
intended with the new api.
|
|
making RTM_INVALIDATE code path perform same check as RTM_DELETE does.
ok mpi@
|
|
|
|
from a neighbor's address. Sthen@ dug out RFC 4861 4.4 that says that
the source address is "An address assigned to the interface from which
the advertisement is sent." -- which can be from a network that the
receiver does not know about. Indeed my provider sends such a neighbor
advertisment for my default gateway, which breaks my uplink.
Claudio@ added this check for symetry with NetBSD code when he added
the same check to nd6_ns_input(), where it is needed to fix
CVE-2008-2476. See also OpenBSD 4.2 errata 15.
ok claudio@, kn@
|
|
this also brings them in line with the AF_INET equivalents.
ok visa@ bluhm@
|
|
|
|
mrt6_mcast6_del() out of the rtable_walk(). This avoids recursion
to prevent stack overflow. Also it allows freeing the route outside
of the walk. Now mrt6_mcast_del() frees the route only when it is
deleted from the routing table. If that fails, it must not be
freed. After the route is returned by mf6c_find(), it is reference
counted. Then we need a rtfree(), but not in the other case.
Name mrt6_mcast_add() and mrt6_mcast_del() consistently.
Move rt_timer_remove_all() into mrt6_mcast_del().
Reported-by: syzbot+af7d510593d74c825960@syzkaller.appspotmail.com
OK mpi@
|
|
Handle the ECN in the fragment queue.
Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com
fix from FreeBSD; OK claudio@
|
|
for IPv6 link local addresses.
Some hosting and VM providers route customer IPv6 prefixes to link
local addresses derived from ethernet MAC addresses (RFC 2464). This
leads to hard to debug IPv6 connectivity problems and is probably not
worth the effort.
RFC 7721 lists 4 weaknesses:
3.1. Correlation of Activities over Time & 3.2. Location Tracking
These are still possible with RFC 7217 addresses for an adversary
connected to the same layer 2 network (think conference wifi). Since
the link local prefix stays the same (fe80::/64) the link local
addresses do not change between different networks.
An adversary on the same layer 2 network can probably track ethernet
MAC addresses via different means, too.
3.3. Address Scanning & 3.4. Device-Specific Vulnerability Exploitation
These now become possible, however, as noted above a layer 2 adversary
was probably able to do this via different means.
People concerned with these weaknesses are advised to use
ifconfig lladdr random.
OK benno
input & OK kn
|
|
introduced a queue to grab the lock for multiple packets. Now we
have only netlock for both IP and protocol input. So the queue is
not necessary anymore. It just switches CPU and decreases performance.
So remove the inet and inet6 ip queue for local packets.
To get TCP running on loopback, we have to queue once between TCP
input and output of the two sockets. So use the loopback queue in
looutput() unconditionally.
OK visa@
|
|
rtable_walk(9) now passes a routing entry back to the caller when
a non zero value is returned and if it asked for it.
This allows us to call rtdeletemsg()/rtrequest_delete() from the
caller without creating a recursion because of rtflushclone().
Multicast code hasn't been adapted and is still possibly creating
recursions. However multicast route entries aren't cloned so if
a recursion exists it isn't because of rtflushclone().
Fix stack exhaustion triggered by the use of "-msave-args".
Issue reported by Dániel Lévai on bugs@ confirmed by and ok bluhm@.
|
|
set. These mpls routes use the rt_llinfo structure to store the MPLS label
and would confuse the arp and nd6 code.
OK bluhm@ anton@
Reported-by: syzbot+927e93a362f3ae33dd9c@syzkaller.appspotmail.com
|
|
before adding it to the routing table. The rtable code is doing memcmp()
of those rt_dest sockaddrs so it is important that they are stored in a
canonical form. To do this struct domain is extended to include the
sockaddr size for this address family.
OK bluhm@ anton@
Reported-by: syzbot+10fe9cd8d0211c562ead@syzkaller.appspotmail.com
|
|
drivers can set ph_timestamp when packets are received by the
hardware, which should be more accurate and cheaper than getting
the clock when the packet is queued on the socket.
|
|
ok semarie@, visa@
|
|
mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl
command can cause it to be NULL.
ok bluhm@ claudio@
Reported-by: syzbot+bdc489ecb509995a21ed@syzkaller.appspotmail.com
Reported-by: syzbot+156405fdea9f2ab15d40@syzkaller.appspotmail.com
|
|
This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.
Tested by various, ok dlg@, visa@
|
|
checksum field is located. During rip6 input and output make sure
that this field is within the packet. The offset my be -1 to disable
the feature, otherwise it must be non-negative and aligned. Do a
stricter check during setsockopt(2).
from FreeBSD; OK claudio@
|
|
both functions consistent. In in_cksum() panic if len is longer
than mbuf, but in in6_cksum() do not panic if off and len match
exactly to the end of mbuf.
OK claudio@
|
|
rip6_sysctl_rip6stat() copy out rip6counters, not ip6counters.
OK deraadt@ claudio@
|
|
this allows mpls interfaces (mpe, mpw) to pass the rdomain they
wish the local label to be in, rather than have it implicitly forced
to 0 by these functions. right now they'll pass 0, but it will soon
be possible to have them rx packets in other rdomains.
previously the functions used ifp->if_rdomain for the rdomain.
everything other than mpls still passes ifp->if_rdomain.
ok mpi@
|
|
MPLS interfaces (ab)use rt_ifa_add for adding the local MPLS label
that they listen on for incoming packets, while every other use of
rt_ifa_add is for adding addresses on local interfaces. MPLS does
this cos the addresses involved are in basically the same shape as
ones used for setting up local addresses.
It is appropriate for interfaces to want RTF_MPATH on local addresses,
but in the MPLS case it means you can have multiple local things
listening on the same label, which doesn't actually work. mpe in
particular keeps track of in use labels to it can handle collisions,
however, mpw does not. It is currently possible to have multiple
mpw interfaces on the same local label, and sharing the same label
as mpe or possible normal forwarding labels.
Moving the RTF_MPATH flag out of rt_ifa_add means all the callers
that still want it need to pass it themselves. The mpe and mpw
callers are left alone without the flag, and will now get EEXIST
from rt_ifa_add when a label is already in use.
ok (and a huge amount of patience and help) mpi@
claudio@ is ok with the idea, but saw a much much earlier solution
to the problem
|
|
usrreq functions move the mbuf m_freem() logic to the release block
instead of distributing it over the switch statement. Then the
goto release in the initial check, whether the pcb still exists,
will not free the mbuf for the PRU_RCVD, PRU_RVCOOB, PRU_SENSE
command.
OK claudio@ mpi@ visa@
Reported-by: syzbot+8e7997d4036ae523c79c@syzkaller.appspotmail.com
|
|
input & OK mpi@
|
|
of some complicated match to convert them to ticks.
OK visa@ bluhm@ kn@
|
|
interface address of the route as source address. To avoid using
link-local addresses in ICMP6 packets sent into networks where they
are out of scope, use the regular IPv6 source selection algorithm
also in this icmp6_reflect() case.
reported by sthen@; fix from Arnaud BRAND; OK claudio@
|
|
carp interface. Move the check to the beginning of the function to
make it clear that there are no other side effects happening.
OK claudio
|
|
possible. Because of an optional payload maxlen bytes are used on the
m_align so that there is always enough space.
OK florian@
|
|
calls to m_get/M_GET calls because M_MOVE_PKTHDR() is initialising
the pkthdr and so it is not needed when allocation the header.
OK bluhm@
|
|
OK bluhm@
|
|
It was used by the original patricia tree.
OK mpi@
|
|
m_leadingspace() and m_trailingspace(). Convert all callers to call
directly the functions and remove the defines.
OK krw@, mpi@
|
|
rdomain now and are therefor rdomain save.
OK mpi@
|
|
rtable 255 is a valid routing table or domain id that wasn't handled
by the ip[6]_mroute code or by snmpd. The arrays in the ip[6]_mroute
code where off by one and didn't allocate space for rtable 255; snmpd
simply ignored rtable 255. All other places in the tree seem to
handle RT_TABLEID_MAX correctly.
OK florian@ benno@ henning@ deraadt@
|
|
Benno removed code to answer ICMP queries over 4 years ago.
Aham Brahmasmi (aham.brahmasmi AT gmx.com) points out
that we still joined the group though.
OK sthen, bluhm, kn
|
