| Age | Commit message (Collapse) | Author |
|---|
|
ok dlg@, sthen@, millert@
|
|
Removes a global variable and avoids MP problems.
OK mpi@ visa@
|
|
sack hole list length or pool limit.
OK claudio@
|
|
There is a global tunable limit net.inet.tcp.sackholelimit, default
is 32768. If an attacker manages to attach all these sack holes
to a few TCP connections, the lists may grow long. Traversing them
might cause higher CPU consumption on the victim machine. In
practice such a situation is hard to create as the TCP retransmit
and 2*msl timer flush the list periodically. For additional
protection, enforce a per connection limit of 128 SACK holes in the
list.
reported by Reuven Plevinsky and Tal Vainshtein
discussed with claudio@ and procter@; OK deraadt@
|
|
ok kn@
|
|
Ethernet interfaces can be used by trunk(4), and i'm about to commit
a new aggr(4) driver which should not be able to use an interface
while trunk owns it and visa versa.
|
|
rtable_walk(9) now passes a routing entry back to the caller when
a non zero value is returned and if it asked for it.
This allows us to call rtdeletemsg()/rtrequest_delete() from the
caller without creating a recursion because of rtflushclone().
Multicast code hasn't been adapted and is still possibly creating
recursions. However multicast route entries aren't cloned so if
a recursion exists it isn't because of rtflushclone().
Fix stack exhaustion triggered by the use of "-msave-args".
Issue reported by Dániel Lévai on bugs@ confirmed by and ok bluhm@.
|
|
set. These mpls routes use the rt_llinfo structure to store the MPLS label
and would confuse the arp and nd6 code.
OK bluhm@ anton@
Reported-by: syzbot+927e93a362f3ae33dd9c@syzkaller.appspotmail.com
|
|
before adding it to the routing table. The rtable code is doing memcmp()
of those rt_dest sockaddrs so it is important that they are stored in a
canonical form. To do this struct domain is extended to include the
sockaddr size for this address family.
OK bluhm@ anton@
Reported-by: syzbot+10fe9cd8d0211c562ead@syzkaller.appspotmail.com
|
|
drivers can set ph_timestamp when packets are received by the
hardware, which should be more accurate and cheaper than getting
the clock when the packet is queued on the socket.
|
|
ok semarie@, visa@
|
|
mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl
command can cause it to be NULL.
ok bluhm@ claudio@
Reported-by: syzbot+bdc489ecb509995a21ed@syzkaller.appspotmail.com
Reported-by: syzbot+156405fdea9f2ab15d40@syzkaller.appspotmail.com
|
|
ok claudio@ deraadt@
|
|
This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.
Tested by various, ok dlg@, visa@
|
|
this let's input processing bypass ifiqs. there's a performance
benefit from this, and it will let me tweak the backpressure detection
mechanism that ifiqs use without impacting on a stack of virtual
interfaces.
ive tested all of these except mpw, which i will end up testing
soon anyway.
|
|
both functions consistent. In in_cksum() panic if len is longer
than mbuf, but in in6_cksum() do not panic if off and len match
exactly to the end of mbuf.
OK claudio@
|
|
from Mitchell Krome
|
|
this allows mpls interfaces (mpe, mpw) to pass the rdomain they
wish the local label to be in, rather than have it implicitly forced
to 0 by these functions. right now they'll pass 0, but it will soon
be possible to have them rx packets in other rdomains.
previously the functions used ifp->if_rdomain for the rdomain.
everything other than mpls still passes ifp->if_rdomain.
ok mpi@
|
|
MPLS interfaces (ab)use rt_ifa_add for adding the local MPLS label
that they listen on for incoming packets, while every other use of
rt_ifa_add is for adding addresses on local interfaces. MPLS does
this cos the addresses involved are in basically the same shape as
ones used for setting up local addresses.
It is appropriate for interfaces to want RTF_MPATH on local addresses,
but in the MPLS case it means you can have multiple local things
listening on the same label, which doesn't actually work. mpe in
particular keeps track of in use labels to it can handle collisions,
however, mpw does not. It is currently possible to have multiple
mpw interfaces on the same local label, and sharing the same label
as mpe or possible normal forwarding labels.
Moving the RTF_MPATH flag out of rt_ifa_add means all the callers
that still want it need to pass it themselves. The mpe and mpw
callers are left alone without the flag, and will now get EEXIST
from rt_ifa_add when a label is already in use.
ok (and a huge amount of patience and help) mpi@
claudio@ is ok with the idea, but saw a much much earlier solution
to the problem
|
|
more consistent to the other protocols' usrreq functions.
OK visa@ claudio@
|
|
usrreq functions move the mbuf m_freem() logic to the release block
instead of distributing it over the switch statement. Then the
goto release in the initial check, whether the pcb still exists,
will not free the mbuf for the PRU_RCVD, PRU_RVCOOB, PRU_SENSE
command.
OK claudio@ mpi@ visa@
Reported-by: syzbot+8e7997d4036ae523c79c@syzkaller.appspotmail.com
|
|
then 1/8 of net.inet.ip.arptimeout the system will send out a arp request
about every 30 seconds until either the entry is updated or expired.
Not refreshing arp entries will result in packet drop every time a entry
expires which is not ideal for important gateway entries.
Came up with this after a discussion with deraadt@. OK benno@ deraadt@
|
|
the mbuf to the next word length as it is required by the standard. Also use
the correct offset from the input mbuf.
OK visa@, input & OK bluhm@
|
|
|
|
bigger than the IP header len to be valid. With this I can traceroute again.
|
|
with INP_HDRINCL. There is no reason to allow badly constructed packets through
our network stack. Especially since they may trigger diagnostic checks further
down the stack. Now EINVAL is returned instead which was already used for some
checks that happened before.
OK florian@
Reported-by: syzbot+0361ed02deed123667cb@syzkaller.appspotmail.com
|
|
of fiddling with the user supplied mbuf and then copy it at the end.
OK visa@
|
|
a lot easier to read. The if can simply return the error and so the else
branch is no longer needed.
Input and OK dhill@
|
|
input & OK mpi@
|
|
passed to ip_pcbopts could be a cluster and so the size check is all wrong.
found by Greg Steuck; OK bluhm@
Reported-by: syzbot+c2543ae6b6692a5843e3@syzkaller.appspotmail.com
eVS: ----------------------------------------------------------------------
|
|
will reduce the sleep time by one tick which doesn't matter in the common
case. The code never passes a true 0 timeval to timeout_add_tv so the code
will always sleep for at least 1 tick which is good enough.
OK kn@, florian@, visa@, cheloha@
|
|
if if_output can be overridden on ethernet interfaces, it will allow
things like vlan to do it's packet encapsulation during output
before putting the packet directly on the underlying interface for
output.
this has two benefits. first, it can avoid having ether_output on
pseudo interfaces recurse, which makes profiling of the network
stack a lot clearer. secondly, and more importantly, it allows
pseudo ethernet interface packet encapsulation to by run concurrently
by the stack, rather than having packets unnecessarily serialied
by an ifq.
this diff just splits ether_output up, it doesnt have any interface
take advantage of it yet.
tweaks and ok claudio@
|
|
This also makes the IPv4 and IPv6 code more similar.
OK phessler@
|
|
the inpcb apart from the disconnect. Just call soisdisconnected() and
clear the inp->inp_faddr since the socket is still valid after a disconnect.
Problem found by syzkaller via Greg Steuck
OK visa@
Fixes:
Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com
Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com
Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com
Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
|
|
the function is doing the same initialisation as arprequest().
OK bluhm@
|
|
- Use m_align() since it handles all cases
- Use same rounding logic in the size check as in m_align() so all data will
filt always.
- consolidate pkthdr initalisation into one place
- use m_prepend() instead of direct pointer manipulation (including the panic
in case an underflow happens).
OK bluhm@
|
|
It was used by the original patricia tree.
OK mpi@
|
|
previously the gif code would patch the tos field and not recalc
the cksum, which would cause ip input code to drop the packet due
to a cksum failure. the ipip code patched ip_tos and unconditionally
recalculated the cksum, making it correct, but also wiping out any
errors that may have been present before the recalculation. updating
the cksum rather than replacing it lets cksum failures still fire.
ip_tos_patch() is provided in the ecn code since it's because of ecn
propagation that we need to update the tos field. internally it
works like pf_patch_8 and pf_cksum_fixup, but since pf is optional
it rolls its own code. procter may fix that in the future...
ok claudio@
|
|
It also translated a documented send(2) EACCES case erroneously.
This was too much magic and always prone to errors.
from Jan Klemkow; man page jmc@; OK claudio@
|
|
m_leadingspace() and m_trailingspace(). Convert all callers to call
directly the functions and remove the defines.
OK krw@, mpi@
|
|
rdomain now and are therefor rdomain save.
OK mpi@
|
|
The maximum is ICMP_MINLEN (8) + max IPv4 header size (60) + IPv6 header (40)
for the IPv6 over IPv4 transition case. By having up to this amount of data
consequtive in an mbuf makes the rest of the code simpler and no more extra
m_pullup calls are needed. Only length checks are now required.The maximum
size is also big enough for all other ICMP types that don't embed the IP
heaader. This ensures that all data has been m_pullup-ed before calling the
ctlinput function which can look that deep into the header.
OK bluhm@ markus@
|
|
check. This code was never reached as ICMP length was truncated
before, but fix the wrong calculation anyway.
OK claudio@
|
|
the end of the cluster (there is no M_ALIGN version for clusters so it is
hard coded). Also make the sanity check more general by using m_leadingspace.
Not a security issue since the cluster code is not reachable, there is enough
space in an mbuf.
OK bluhm@
|
|
a fixed socket send buffer size for TCP. tcp_update_sndspace()
could overwrite the value as the algorithms were not in sync.
OK benno@ claudio@
|
|
|
|
|
|
In particular, use LIST_* to preserve O(n) removal in rti_delete().
While here, clean up two malloc(9) calls.
Suggested by mpi@.
ok visa@
|
|
of packets are being dropped but non of the other counters are increasing.
From Daniel Hokka Zakrisson (daniel AT hozac DOT com), thanks!
OK florian, phessler
|
|
rtable 255 is a valid routing table or domain id that wasn't handled
by the ip[6]_mroute code or by snmpd. The arrays in the ip[6]_mroute
code where off by one and didn't allocate space for rtable 255; snmpd
simply ignored rtable 255. All other places in the tree seem to
handle RT_TABLEID_MAX correctly.
OK florian@ benno@ henning@ deraadt@
|
