#
d8e361d9 |
| 31-May-2022 |
andvar <andvar@NetBSD.org> |
fix various typos in comments, documentation and messages.
|
#
3ac92065 |
| 16-Feb-2022 |
andvar <andvar@NetBSD.org> |
fix various typos, mainly in comments.
|
#
f40cebed |
| 12-Oct-2018 |
maxv <maxv@NetBSD.org> |
Force ip_off to zero when the reassembly is complete. This was lost in my rev1.19 - before that the IP struct was clobbered for the reassembly, but it actually implicitly guaranteed that the first fr
Force ip_off to zero when the reassembly is complete. This was lost in my rev1.19 - before that the IP struct was clobbered for the reassembly, but it actually implicitly guaranteed that the first fragment of the packet would end up with ip_off = 0, and this was a desired behavior.
show more ...
|
#
452c72e4 |
| 17-Sep-2018 |
maxv <maxv@NetBSD.org> |
Kick fragments that would introduce several !MFFs in a reassembly chain.
The problem arises if we receive three fragments of the kind
3. A -> has MFF 1. B -> doesn't have MFF 2. C -> doesn't
Kick fragments that would introduce several !MFFs in a reassembly chain.
The problem arises if we receive three fragments of the kind
3. A -> has MFF 1. B -> doesn't have MFF 2. C -> doesn't have MFF
Because of the received order B->C->A, we don't see that B is !MFF, and therefore that there is a problem in this chain.
Now we do two checks, and drop us if:
* there is a fragment preceding us, and this fragment is !MFF, or * there is a fragment following us, and we are !MFF
Spotted a long time ago.
show more ...
|
#
f3737ece |
| 17-Sep-2018 |
maxv <maxv@NetBSD.org> |
Hold ip_off and ip_len in the fragment entry, instead of always reading the associated mbuf (and converting to host order). This reduces the cache/TLB misses when processing long lists.
|
#
6d5ca55a |
| 10-Jul-2018 |
maxv <maxv@NetBSD.org> |
Remove the second argument from ip_reass_packet(). We want the IP header on the mbuf, not elsewhere. Simplifies the NPF reassembly code a little. No real functional change.
|
#
ab18434a |
| 15-May-2018 |
maxv <maxv@NetBSD.org> |
When reassembling IPv4/IPv6 packets, ensure each fragment has been subject to the same IPsec processing. That is to say, that all fragments are ESP, or AH, or AH+ESP, or none.
The reassembly mechani
When reassembling IPv4/IPv6 packets, ensure each fragment has been subject to the same IPsec processing. That is to say, that all fragments are ESP, or AH, or AH+ESP, or none.
The reassembly mechanism can be used both on the wire and inside an IPsec tunnel, so we need to make sure all fragments of a packet were received on only one side.
Even though I haven't tried, I believe there are configurations where it would be possible for an attacker to inject an unencrypted fragment into a legitimate stream of already-decrypted-and-authenticated fragments.
Typically on IPsec gateways with ESP tunnels, where we can encapsulate fragments (as opposed to the general case, where we fragment encapsulated data).
Note, for the record: a funnier thing, under IPv4, would be to send a zero-sized !MFF fragment at the head of the packet, and manage to trigger an ICMP error; M_DECRYPTED gets lost by the reassembly, and ICMP will reply with the packet in clear (not encrypted).
show more ...
|
#
f0ba0d93 |
| 03-May-2018 |
maxv <maxv@NetBSD.org> |
Rename m_pkthdr_remove -> m_remove_pkthdr, to match the existing naming convention, eg m_copy_pkthdr and m_move_pkthdr.
|
#
4c128d15 |
| 11-Apr-2018 |
maxv <maxv@NetBSD.org> |
Add 'static', like the prototype.
|
#
61aa2b4e |
| 09-Mar-2018 |
maxv <maxv@NetBSD.org> |
Remove M_PKTHDR from secondary mbufs when reassembling packets.
This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from
Remove M_PKTHDR from secondary mbufs when reassembling packets.
This is a real problem, because I found at least one component that relies on the fact that only the first mbuf has M_PKTHDR: far from here, in m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a secondary mbuf. (The initial intention there was to avoid updating m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're dealing with the first mbuf.) Therefore, when handling fragmented IPsec packets (in particular IPv6, IPv4 is a bit more complicated), we may end up with an incorrect m_pkthdr.len after authentication or decryption. In the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.
It seems possible to me to trigger this bug even if you don't have the ESP key, because the fragmentation part is outside of the encrypted ESP payload.
So if you MITM the target, and intercept an incoming ESP packet (which you can't decrypt), you should be able to forge a new specially-crafted, fragmented packet and stuff the ESP payload (still encrypted, as you intercepted it) into it. The decryption succeeds and the target crashes.
show more ...
|
#
e6ebfce5 |
| 08-Feb-2018 |
maxv <maxv@NetBSD.org> |
Change the error stat from IP_STAT_BADFRAGS to IP_STAT_TOOLONG. The ping_of_death ATF test expects this counter to get increased.
|
#
1374a600 |
| 06-Feb-2018 |
maxv <maxv@NetBSD.org> |
Add one more check in ip_reass_packet(): make sure that the end of each fragment does not exceed IP_MAXPACKET.
In ip_reass(), we only check the final length of the reassembled packet against IP_MAXP
Add one more check in ip_reass_packet(): make sure that the end of each fragment does not exceed IP_MAXPACKET.
In ip_reass(), we only check the final length of the reassembled packet against IP_MAXPACKET.
But there is an integer overflow that can happen a little earlier. We are doing:
i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) - ntohs(ip->ip_off); [...] ip->ip_off = htons(ntohs(ip->ip_off) + i);
It is possible that
ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) > 65535
so the computation of ip_off wraps to zero. This breaks an assumption in the reassembler - it expects the list of fragments to be ordered by offset, and here it's not ordered anymore. (Un)Fortunately I couldn't turn this into anything exploitable.
With the new check, it is guaranteed that ip_off+ip_len<=65535.
show more ...
|
#
a41b4f38 |
| 11-Jan-2017 |
ozaki-r <ozaki-r@NetBSD.org> |
Get rid of unnecessary header inclusions
|
#
b8014fa8 |
| 26-Apr-2016 |
ozaki-r <ozaki-r@NetBSD.org> |
Sweep unnecessary route.h inclusions
|
#
05fd0bf3 |
| 25-Feb-2014 |
pooka <pooka@NetBSD.org> |
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicat
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate lines of code.
show more ...
|
#
52fb1dd8 |
| 27-Jun-2011 |
enami <enami@NetBSD.org> |
Don't increment ip_nfragpackets when failed to allocate fragment queue. No one will decrement it on such case.
|
#
aa7dc4aa |
| 05-Nov-2010 |
rmind <rmind@NetBSD.org> |
ip_reass_packet: finish abstraction; some clean-up. Discussed some time ago with matt@.
|
#
a2939d49 |
| 07-Oct-2010 |
yamt <yamt@NetBSD.org> |
make ipfr_lock IPL_VM as ip_reass_drain is called in interrupts via the drain hook for mbuf pools.
|
#
daf969e4 |
| 06-Oct-2010 |
enami <enami@NetBSD.org> |
Don't free memory still in use. Fixes nfs root problem reported by Christoph Egger on source-changes-d.
|
#
ff74682f |
| 03-Oct-2010 |
rmind <rmind@NetBSD.org> |
Re-structure IPv4 reassembly code to make it more MP-friendly and simplify some code fragments while here. Also, use pool_cache(9) and mutex(9).
IPv4 reassembly mechanism is MP-safe now.
|
#
574e8cee |
| 25-Aug-2010 |
rmind <rmind@NetBSD.org> |
Use own IPv4 reassembly queue entry structure and leave struct ipqent only for TCP. Now both struct ipfr_qent, struct ipfr_queue and hashed fragment queue are abstracted and no longer public.
|
#
2f196e2f |
| 19-Jul-2010 |
rmind <rmind@NetBSD.org> |
Abstract IP reassembly into single generic routine - ip_reass_packet(). Make struct ipq private and struct ipqent not visible to userland. Push ip_len adjustment into reassembly layer.
OK matt@
|
#
bcc65ff0 |
| 13-Jul-2010 |
rmind <rmind@NetBSD.org> |
Split-off IPv4 re-assembly mechanism into a separate module. Abstract into ip_reass_init(), ip_reass_lookup(), etc (note: abstraction is not yet complete). No functional changes to the actual mecha
Split-off IPv4 re-assembly mechanism into a separate module. Abstract into ip_reass_init(), ip_reass_lookup(), etc (note: abstraction is not yet complete). No functional changes to the actual mechanism.
OK matt@
show more ...
|