d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a55383e720
freebsd-dev/sys/netinet6
History
Hans Petter Selasky a55383e720 Fix panic in network stack due to use after free when receiving 
partial fragmented packets before a network interface is detached.

When sending IPv4 or IPv6 fragmented packets and a fragment is lost
before the network device is freed, the mbuf making up the fragment
will remain in the temporary hashed fragment list and cause a panic
when it times out due to accessing a freed network interface
structure.


1) Make sure the m_pkthdr.rcvif always points to a valid network
interface. Else the rcvif field should be set to NULL.

2) Use the rcvif of the last received fragment as m_pkthdr.rcvif for
the fully defragged packet, instead of the first received fragment.

Panic backtrace for IPv6:

panic()
icmp6_reflect() # tries to access rcvif->if_afdata[AF_INET6]->xxx
icmp6_error()
frag6_freef()
frag6_slowtimo()
pfslowtimo()
softclock_call_cc()
softclock()
ithread_loop()

Reviewed by:	bz
Differential Revision:	https://reviews.freebsd.org/D19622
MFC after:	1 week
Sponsored by:	Mellanox Technologies
2019-10-16 09:11:49 +00:00
..
dest6.c Remove some unneccessary variable sets in IPv6 code, as detected by 2018-03-24 12:43:34 +00:00
frag6.c Fix panic in network stack due to use after free when receiving 2019-10-16 09:11:49 +00:00
icmp6.c Widen NET_EPOCH coverage. 2019-10-07 22:40:05 +00:00
icmp6.h
in6_cksum.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
in6_fib.c Switch RIB and RADIX_NODE_HEAD lock from rwlock(9) to rmlock(9). 2018-06-16 08:26:23 +00:00
in6_fib.h
in6_gif.c Add the check that current VNET is ready and access to srchash is allowed. 2018-10-23 13:11:45 +00:00
in6_ifattach.c Don't cover in6_ifattach() with network epoch, as it may call into 2019-10-13 04:25:16 +00:00
in6_ifattach.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
in6_jail.c Move most of the contents of opt_compat.h to opt_global.h. 2018-04-06 17:35:35 +00:00
in6_mcast.c Widen NET_EPOCH coverage. 2019-10-07 22:40:05 +00:00
in6_pcb.c IPv6 cleanup: kernel 2019-08-02 07:41:36 +00:00
in6_pcb.h IPv6 cleanup: kernel 2019-08-02 07:41:36 +00:00
in6_pcbgroup.c sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
in6_proto.c frag6.c: move variables and sysctls into local file 2019-08-02 10:29:53 +00:00
in6_rmx.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
in6_rss.c
in6_rss.h
in6_src.c IPv6 cleanup: kernel 2019-08-02 07:41:36 +00:00
in6_var.h Widen NET_EPOCH coverage. 2019-10-07 22:40:05 +00:00
in6.c in6ifa_llaonifp() is never called from fast path, so do not require 2019-10-14 15:33:53 +00:00
in6.h Convert all IPv4 and IPv6 multicast memberships into using a STAILQ 2019-06-25 11:54:41 +00:00
ip6_ecn.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip6_fastfwd.c New pfil(9) KPI together with newborn pfil API and control utility. 2019-01-31 23:01:03 +00:00
ip6_forward.c Add a missing include of opt_sctp.h. 2019-10-12 22:58:33 +00:00
ip6_gre.c Add GRE-in-UDP encapsulation support as defined in RFC8086. 2019-04-24 09:05:45 +00:00
ip6_id.c ip6_randomflowlabel: Avoid blocking if random(4) is not available 2019-04-23 17:18:20 +00:00
ip6_input.c When processing an incoming IPv6 packet over the loopback interface which 2019-09-19 10:22:29 +00:00
ip6_mroute.c Plug some networking sysctl leaks. 2018-11-22 20:49:41 +00:00
ip6_mroute.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip6_output.c ip6_output() has a complex set of gotos, and some can jump out of 2019-10-09 17:02:28 +00:00
ip6_var.h frag6: move public structure into file local space. 2019-08-08 10:59:54 +00:00
ip6.h
ip6protosw.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip_fw_nat64.h Reapply r345274 with build fixes for 32-bit architectures. 2019-03-19 10:57:03 +00:00
ip_fw_nptv6.h Add ability to use dynamic external prefix in ipfw_nptv6 module. 2018-11-12 11:20:59 +00:00
mld6_var.h Fix refcounting leaks in IPv6 MLD code leading to loss of IPv6 2019-01-24 08:34:13 +00:00
mld6.c Widen NET_EPOCH coverage. 2019-10-07 22:40:05 +00:00
mld6.h sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
nd6_nbr.c Widen NET_EPOCH coverage. 2019-10-07 22:40:05 +00:00
nd6_rtr.c Widen NET_EPOCH coverage. 2019-10-07 22:40:05 +00:00
nd6.c Don't cover in6_ifattach() with network epoch, as it may call into 2019-10-13 04:25:16 +00:00
nd6.h Update for IETF draft-ietf-6man-ipv6only-flag. 2019-03-07 23:03:39 +00:00
pim6_var.h Rework IP encapsulation handling code. 2018-06-05 20:51:01 +00:00
pim6.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
raw_ip6.c Revert changes to rip6_bind() from r353292. This function is always 2019-10-09 05:52:07 +00:00
raw_ip6.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
route6.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
scope6_var.h Constify argument of in6_getscope(). 2018-06-05 20:54:29 +00:00
scope6.c Mechanical cleanup of epoch(9) usage in network stack. 2019-01-09 01:11:19 +00:00
sctp6_usrreq.c Remove line not needed. 2019-10-13 09:35:03 +00:00
sctp6_var.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
send.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
send.h sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
tcp6_var.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
udp6_usrreq.c r348494 fixes a race in udp_output(). The same race exists in 2019-07-13 12:45:08 +00:00
udp6_var.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00