1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-23 11:18:54 +00:00
freebsd/sys/netinet
Ian Dowse bfef7ed45c It was possible for ip_forward() to supply to icmp_error()
an IP header with ip_len in network byte order. For certain
values of ip_len, this could cause icmp_error() to write
beyond the end of an mbuf, causing mbuf free-list corruption.
This problem was observed during generation of ICMP redirects.

We now make quite sure that the copy of the IP header kept
for icmp_error() is stored in a non-shared mbuf header so
that it will not be modified by ip_output().

Also:
- Calculate the correct number of bytes that need to be
  retained for icmp_error(), instead of assuming that 64
  is enough (it's not).
- In icmp_error(), use m_copydata instead of bcopy() to
  copy from the supplied mbuf chain, in case the first 8
  bytes of IP payload are not stored directly after the IP
  header.
- Sanity-check ip_len in icmp_error(), and panic if it is
  less than sizeof(struct ip). Incoming packets with bad
  ip_len values are discarded in ip_input(), so this should
  only be triggered by bugs in the code, not by bad packets.

This patch results from code and suggestions from Ruslan, Bosko,
Jonathan Lemon and Matt Dillon, with important testing by Mike
Tancsa, who could reproduce this problem at will.

Reported by:	Mike Tancsa <mike@sentex.net>
Reviewed by:	ru, bmilekic, jlemon, dillon
2001-03-08 19:03:26 +00:00
..
libalias Add a few ``const''s to silence some -Wwrite-strings warnings 2001-01-29 11:44:13 +00:00
accf_data.c
accf_http.c
fil.c fix conflicts 2001-02-04 14:26:56 +00:00
icmp6.h
icmp_var.h Clean up RST ratelimiting. Previously, ratelimiting occured before tests 2001-02-11 07:39:51 +00:00
if_atm.c
if_atm.h
if_ether.c Sync with the bridge/dummynet/ipfw code already tested in stable. 2001-02-10 00:10:18 +00:00
if_ether.h
if_fddi.h
igmp_var.h
igmp.c
igmp.h
in_cksum.c
in_gif.c Another round of the <sys/queue.h> FOREACH transmogriffer. 2001-02-04 16:08:18 +00:00
in_gif.h
in_hostcache.c
in_hostcache.h
in_pcb.c During a flood, we don't call rtfree(), but we remove the entry ourselves. 2001-03-04 21:28:40 +00:00
in_pcb.h Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly. 2001-02-26 21:19:47 +00:00
in_proto.c
in_rmx.c
in_systm.h
in_var.h Convert if_multiaddrs from LIST to TAILQ so that it can be traversed 2001-02-06 10:12:15 +00:00
in.c Another round of the <sys/queue.h> FOREACH transmogriffer. 2001-02-04 16:08:18 +00:00
in.h o Move per-process jail pointer (p->pr_prison) to inside of the subject 2001-02-21 06:39:57 +00:00
ip6.h
ip_auth.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_auth.h
ip_compat.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_divert.c Mechanical change to use <sys/queue.h> macro API instead of 2001-02-04 13:13:25 +00:00
ip_dummynet.c Sync with the bridge/dummynet/ipfw code already tested in stable. 2001-02-10 00:10:18 +00:00
ip_dummynet.h MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately) 2001-02-02 00:18:00 +00:00
ip_ecn.c
ip_ecn.h
ip_encap.c Mechanical change to use <sys/queue.h> macro API instead of 2001-02-04 13:13:25 +00:00
ip_encap.h
ip_fil.c
ip_fil.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_flow.c
ip_flow.h
ip_frag.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_frag.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_ftp_pxy.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_fw.c The TCP header-specific section suffered a little bit of bitrot recently: 2001-02-27 10:20:44 +00:00
ip_fw.h Introduce a new feature in IPFW: Check of the source or destination 2001-02-13 14:12:37 +00:00
ip_icmp.c It was possible for ip_forward() to supply to icmp_error() 2001-03-08 19:03:26 +00:00
ip_icmp.h
ip_input.c It was possible for ip_forward() to supply to icmp_error() 2001-03-08 19:03:26 +00:00
ip_log.c
ip_mroute.c Fix typo: seperate -> separate. 2001-02-06 11:21:58 +00:00
ip_mroute.h
ip_nat.c fix duplicate rcsid 2001-02-04 15:25:15 +00:00
ip_nat.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_output.c Remove conditionals for vax support. 2001-02-26 20:05:32 +00:00
ip_proxy.c
ip_proxy.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_raudio_pxy.c
ip_rcmd_pxy.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_state.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_state.h
ip_var.h
ip.h
ipl.h fix conflicts 2001-02-04 14:26:56 +00:00
ipprotosw.h
mlfk_ipl.c fix conflicts 2001-02-04 14:26:56 +00:00
raw_ip.c Mechanical change to use <sys/queue.h> macro API instead of 2001-02-04 13:13:25 +00:00
tcp_debug.c
tcp_debug.h
tcp_fsm.h
tcp_input.c Do not delay a new ack if there already is a delayed ack pending on the 2001-02-25 15:17:24 +00:00
tcp_output.c
tcp_reass.c Do not delay a new ack if there already is a delayed ack pending on the 2001-02-25 15:17:24 +00:00
tcp_seq.h
tcp_subr.c Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly. 2001-02-26 21:19:47 +00:00
tcp_timer.c Use more aggressive retransmit timeouts for the initial SYN packet. 2001-02-26 21:33:55 +00:00
tcp_timer.h
tcp_timewait.c Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly. 2001-02-26 21:19:47 +00:00
tcp_usrreq.c o Move per-process jail pointer (p->pr_prison) to inside of the subject 2001-02-21 06:39:57 +00:00
tcp_var.h Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly. 2001-02-26 21:19:47 +00:00
tcp.h
tcpip.h Remove struct full_tcpiphdr{}. 2001-02-26 20:10:16 +00:00
udp_usrreq.c Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly. 2001-02-26 21:19:47 +00:00
udp_var.h remove unused data structure definition, and corresponding macro into*() 2001-02-18 07:10:03 +00:00
udp.h