From e281e3d9380a884e071e1570fb57e2d1891da9b0 Mon Sep 17 00:00:00 2001
From: tuexen <tuexen@FreeBSD.org>
Date: Thu, 2 Oct 2014 10:32:24 +0000
Subject: [PATCH] Fix the checksum computation for UDPLite/IPv6. This requires
 the usage of a function computing the checksum only over a part of the
 function. Therefore introduce in6_cksum_partial() and implement in6_cksum()
 based on that. While there, ensure that the UDPLite packet contains at least
 enough bytes to contain the header.

Reviewed by: kevlo
MFC after: 3 days
---
 sys/netinet6/in6.h         |  2 ++
 sys/netinet6/in6_cksum.c   | 28 ++++++++++++++++++----------
 sys/netinet6/udp6_usrreq.c | 15 ++++++++++-----
 3 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h
index 8fa4d95ff8ca..5fbcf5f23d9f 100644
--- a/sys/netinet6/in6.h
+++ b/sys/netinet6/in6.h
@@ -647,6 +647,8 @@ struct ip6_hdr;
 
 int	in6_cksum_pseudo(struct ip6_hdr *, uint32_t, uint8_t, uint16_t);
 int	in6_cksum(struct mbuf *, u_int8_t, u_int32_t, u_int32_t);
+int	in6_cksum_partial(struct mbuf *, u_int8_t, u_int32_t, u_int32_t,
+			  u_int32_t);
 int	in6_localaddr(struct in6_addr *);
 int	in6_localip(struct in6_addr *);
 int	in6_addrscope(const struct in6_addr *);
diff --git a/sys/netinet6/in6_cksum.c b/sys/netinet6/in6_cksum.c
index da8a2e6bf3c1..ce1961a60082 100644
--- a/sys/netinet6/in6_cksum.c
+++ b/sys/netinet6/in6_cksum.c
@@ -145,9 +145,11 @@ in6_cksum_pseudo(struct ip6_hdr *ip6, uint32_t len, uint8_t nxt, uint16_t csum)
  * off is an offset where TCP/UDP/ICMP6 header starts.
  * len is a total length of a transport segment.
  * (e.g. TCP header + TCP payload)
+ * cov is the number of bytes to be taken into account for the checksum
  */
 int
-in6_cksum(struct mbuf *m, u_int8_t nxt, u_int32_t off, u_int32_t len)
+in6_cksum_partial(struct mbuf *m, u_int8_t nxt, u_int32_t off,
+    u_int32_t len, u_int32_t cov)
 {
 	struct ip6_hdr *ip6;
 	u_int16_t *w, scope;
@@ -215,9 +217,9 @@ in6_cksum(struct mbuf *m, u_int8_t nxt, u_int32_t off, u_int32_t len)
 	}
 	w = (u_int16_t *)(mtod(m, u_char *) + off);
 	mlen = m->m_len - off;
-	if (len < mlen)
-		mlen = len;
-	len -= mlen;
+	if (cov < mlen)
+		mlen = cov;
+	cov -= mlen;
 	/*
 	 * Force to even boundary.
 	 */
@@ -273,7 +275,7 @@ in6_cksum(struct mbuf *m, u_int8_t nxt, u_int32_t off, u_int32_t len)
 	 * Lastly calculate a summary of the rest of mbufs.
 	 */
 
-	for (;m && len; m = m->m_next) {
+	for (;m && cov; m = m->m_next) {
 		if (m->m_len == 0)
 			continue;
 		w = mtod(m, u_int16_t *);
@@ -290,12 +292,12 @@ in6_cksum(struct mbuf *m, u_int8_t nxt, u_int32_t off, u_int32_t len)
 			sum += s_util.s;
 			w = (u_int16_t *)((char *)w + 1);
 			mlen = m->m_len - 1;
-			len--;
+			cov--;
 		} else
 			mlen = m->m_len;
-		if (len < mlen)
-			mlen = len;
-		len -= mlen;
+		if (cov < mlen)
+			mlen = cov;
+		cov -= mlen;
 		/*
 		 * Force to even boundary.
 		 */
@@ -343,7 +345,7 @@ in6_cksum(struct mbuf *m, u_int8_t nxt, u_int32_t off, u_int32_t len)
 		} else if (mlen == -1)
 			s_util.c[0] = *(char *)w;
 	}
-	if (len)
+	if (cov)
 		panic("in6_cksum: out of data");
 	if (mlen == -1) {
 		/* The last mbuf has odd # of bytes. Follow the
@@ -355,3 +357,9 @@ in6_cksum(struct mbuf *m, u_int8_t nxt, u_int32_t off, u_int32_t len)
 	REDUCE;
 	return (~sum & 0xffff);
 }
+
+int
+in6_cksum(struct mbuf *m, u_int8_t nxt, u_int32_t off, u_int32_t len)
+{
+	return (in6_cksum_partial(m, nxt, off, len, len));
+}
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index 28f2753ac98d..11cfd3aab91a 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -227,11 +227,16 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
 
 	nxt = ip6->ip6_nxt;
 	cscov_partial = (nxt == IPPROTO_UDPLITE) ? 1 : 0;
-	if (nxt == IPPROTO_UDPLITE && (ulen == 0 || ulen == plen)) {
+	if (nxt == IPPROTO_UDPLITE) {
 		/* Zero means checksum over the complete packet. */
 		if (ulen == 0)
 			ulen = plen;
-		cscov_partial = 0;
+		if (ulen == plen)
+			cscov_partial = 0;
+		if ((ulen < sizeof(struct udphdr)) || (ulen > plen)) {
+			/* XXX: What is the right UDPLite MIB counter? */
+			goto badunlocked;
+		}
 	}
 	if (nxt == IPPROTO_UDP && plen != ulen) {
 		UDPSTAT_INC(udps_badlen);
@@ -257,7 +262,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
 			    m->m_pkthdr.csum_data);
 		uh_sum ^= 0xffff;
 	} else
-		uh_sum = in6_cksum(m, nxt, off, ulen);
+		uh_sum = in6_cksum_partial(m, nxt, off, plen, ulen);
 
 	if (uh_sum != 0) {
 		UDPSTAT_INC(udps_badsum);
@@ -844,8 +849,8 @@ udp6_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr6,
 		ip6->ip6_dst	= *faddr;
 
 		if (cscov_partial) {
-			if ((udp6->uh_sum = in6_cksum(m, 0,
-			    sizeof(struct ip6_hdr), cscov)) == 0)
+			if ((udp6->uh_sum = in6_cksum_partial(m, nxt,
+			    sizeof(struct ip6_hdr), plen, cscov)) == 0)
 				udp6->uh_sum = 0xffff;
 		} else {
 			udp6->uh_sum = in6_cksum_pseudo(ip6, plen, nxt, 0);