#
04f44499 |
| 22-Apr-2019 |
Hans Petter Selasky <hselasky@FreeBSD.org> |
Fix build for mips and powerpc after r346530.
Need to include sys/kernel.h to define SYSINIT() which is used by sys/eventhandler.h .
MFC after: 1 week Sponsored by: Mellanox Technologies
|
#
40eb3896 |
| 22-Apr-2019 |
Hans Petter Selasky <hselasky@FreeBSD.org> |
Fix panic in network stack due to memory use after free in relation to fragmented packets.
When sending IPv4 and IPv6 fragmented packets and a fragment is lost, the mbuf making up the fragment will
Fix panic in network stack due to memory use after free in relation to fragmented packets.
When sending IPv4 and IPv6 fragmented packets and a fragment is lost, the mbuf making up the fragment will remain in the temporary hashed fragment list for a while. If the network interface departs before the so-called slow timeout clears the packet, the fragment causes a panic when the timeout kicks in due to accessing a freed network interface structure.
Make sure that when a network device is departing, all hashed IPv4 and IPv6 fragments belonging to it, get freed.
Backtrace: panic() icmp6_reflect()
hlim = ND_IFINFO(m->m_pkthdr.rcvif)->chlim; ^^^^ rcvif->if_afdata[AF_INET6] is NULL.
icmp6_error() frag6_freef() frag6_slowtimo() pfslowtimo() softclock_call_cc() softclock() ithread_loop()
Differential Revision: https://reviews.freebsd.org/D19622 Reviewed by: bz (network), adrian MFC after: 1 week Sponsored by: Mellanox Technologies
show more ...
|
Revision tags: release/12.0.0 |
|
#
3d5db455 |
| 24-Nov-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r340427 through r340868.
|
#
2157f3c3 |
| 16-Nov-2018 |
Jonathan T. Looney <jtl@FreeBSD.org> |
Add some additional length checks to the IPv4 fragmentation code.
Specifically, block 0-length fragments, even when the MF bit is clear. Also, ensure that every fragment with the MF bit clear ends a
Add some additional length checks to the IPv4 fragmentation code.
Specifically, block 0-length fragments, even when the MF bit is clear. Also, ensure that every fragment with the MF bit clear ends at the same offset and that no subsequently-received fragments exceed that offset.
Reviewed by: glebius, markj MFC after: 3 days Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D17922
show more ...
|
#
9b5cb2f6 |
| 12-Nov-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r340235 through r340367.
|
#
86af1d02 |
| 10-Nov-2018 |
Mark Johnston <markj@FreeBSD.org> |
Ensure that IP fragments do not extend beyond IP_MAXPACKET.
Such fragments are obviously invalid, and when processed may end up violating the sort order (by offset) of fragments of a given packet. T
Ensure that IP fragments do not extend beyond IP_MAXPACKET.
Such fragments are obviously invalid, and when processed may end up violating the sort order (by offset) of fragments of a given packet. This doesn't appear to be exploitable, however.
Reviewed by: emaste Discussed with: jtl MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17914
show more ...
|
#
3611ec60 |
| 18-Aug-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r337646 through r338014.
|
#
a967df1c |
| 14-Aug-2018 |
Jonathan T. Looney <jtl@FreeBSD.org> |
Lower the default limits on the IPv4 reassembly queue.
In particular, try to ensure that no bucket will have a reassembly queue larger than approximately 100 items. This limits the cost to find the
Lower the default limits on the IPv4 reassembly queue.
In particular, try to ensure that no bucket will have a reassembly queue larger than approximately 100 items. This limits the cost to find the correct reassembly queue when processing an incoming fragment.
Due to the low limits on each bucket's length, increase the size of the hash table from 64 to 1024.
Reviewed by: jhb Security: FreeBSD-SA-18:10.ip Security: CVE-2018-6923
show more ...
|
#
ff790bba |
| 14-Aug-2018 |
Jonathan T. Looney <jtl@FreeBSD.org> |
Implement a limit on on the number of IPv4 reassembly queues per bucket.
There is a hashing algorithm which should distribute IPv4 reassembly queues across the available buckets in a relatively even
Implement a limit on on the number of IPv4 reassembly queues per bucket.
There is a hashing algorithm which should distribute IPv4 reassembly queues across the available buckets in a relatively even way. However, if there is a flaw in the hashing algorithm which allows a large number of IPv4 fragment reassembly queues to end up in a single bucket, a per- bucket limit could help mitigate the performance impact of this flaw.
Implement such a limit, with a default of twice the maximum number of reassembly queues divided by the number of buckets. Recalculate the limit any time the maximum number of reassembly queues changes. However, allow the user to override the value using a sysctl (net.inet.ip.maxfragbucketsize).
Reviewed by: jhb Security: FreeBSD-SA-18:10.ip Security: CVE-2018-6923
show more ...
|
#
7b9c5eb0 |
| 14-Aug-2018 |
Jonathan T. Looney <jtl@FreeBSD.org> |
Add a global limit on the number of IPv4 fragments.
The IP reassembly fragment limit is based on the number of mbuf clusters, which are a global resource. However, the limit is currently applied on
Add a global limit on the number of IPv4 fragments.
The IP reassembly fragment limit is based on the number of mbuf clusters, which are a global resource. However, the limit is currently applied on a per-VNET basis. Given enough VNETs (or given sufficient customization of enough VNETs), it is possible that the sum of all the VNET limits will exceed the number of mbuf clusters available in the system.
Given the fact that the fragment limit is intended (at least in part) to regulate access to a global resource, the fragment limit should be applied on a global basis.
VNET-specific limits can be adjusted by modifying the net.inet.ip.maxfragpackets and net.inet.ip.maxfragsperpacket sysctls.
To disable fragment reassembly globally, set net.inet.ip.maxfrags to 0. To disable fragment reassembly for a particular VNET, set net.inet.ip.maxfragpackets to 0.
Reviewed by: jhb Security: FreeBSD-SA-18:10.ip Security: CVE-2018-6923
show more ...
|
#
5d9bd455 |
| 14-Aug-2018 |
Jonathan T. Looney <jtl@FreeBSD.org> |
Improve hashing of IPv4 fragments.
Currently, IPv4 fragments are hashed into buckets based on a 32-bit key which is calculated by (src_ip ^ ip_id) and combined with a random seed. However, because a
Improve hashing of IPv4 fragments.
Currently, IPv4 fragments are hashed into buckets based on a 32-bit key which is calculated by (src_ip ^ ip_id) and combined with a random seed. However, because an attacker can control the values of src_ip and ip_id, it is possible to construct an attack which causes very deep chains to form in a given bucket.
To ensure more uniform distribution (and lower predictability for an attacker), calculate the hash based on a key which includes all the fields we use to identify a reassembly queue (dst_ip, src_ip, ip_id, and the ip protocol) as well as a random seed.
Reviewed by: jhb Security: FreeBSD-SA-18:10.ip Security: CVE-2018-6923
show more ...
|
#
14b841d4 |
| 11-Aug-2018 |
Kyle Evans <kevans@FreeBSD.org> |
MFH @ r337607, in preparation for boarding
|
#
5f901c92 |
| 24-Jul-2018 |
Andrew Turner <andrew@FreeBSD.org> |
Use the new VNET_DEFINE_STATIC macro when we are defining static VNET variables.
Reviewed by: bz Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D16147
|
Revision tags: release/11.2.0 |
|
#
09b0b8c0 |
| 24-Jan-2018 |
Navdeep Parhar <np@FreeBSD.org> |
Do not generate illegal mbuf chains during IP fragment reassembly. Only the first mbuf of the reassembled datagram should have a pkthdr.
This was discovered with cxgbe(4) + IPSEC + ping with payloa
Do not generate illegal mbuf chains during IP fragment reassembly. Only the first mbuf of the reassembled datagram should have a pkthdr.
This was discovered with cxgbe(4) + IPSEC + ping with payload more than interface MTU. cxgbe can generate !M_WRITEABLE mbufs and this results in m_unshare being called on the reassembled datagram, and it complains:
panic: m_unshare: m0 0xfffff80020f82600, m 0xfffff8005d054100 has M_PKTHDR
PR: 224922 Reviewed by: ae@ MFC after: 1 week Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D14009
show more ...
|
Revision tags: release/10.4.0, release/11.1.0 |
|
#
348238db |
| 01-Mar-2017 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r314420 through r314481.
|
#
fbbd9655 |
| 01-Mar-2017 |
Warner Losh <imp@FreeBSD.org> |
Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted them permission to remove clause 3. My insistance on keeping the same numbering for legal reasons is
Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted them permission to remove clause 3. My insistance on keeping the same numbering for legal reasons is too pedantic, so give up on that point.
Submitted by: Jan Schaumann <jschauma@stevens.edu> Pull Request: https://github.com/freebsd/freebsd/pull/96
show more ...
|
Revision tags: release/11.0.1, release/11.0.0, release/10.3.0, release/10.2.0 |
|
#
416ba5c7 |
| 22-Jun-2015 |
Navdeep Parhar <np@FreeBSD.org> |
Catch up with HEAD (r280229-r284686).
|
#
98e0ffae |
| 27-May-2015 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Merge sync of head
|
#
7757a1b4 |
| 03-May-2015 |
Baptiste Daroussin <bapt@FreeBSD.org> |
Merge from head
|
#
7263c8c0 |
| 22-Apr-2015 |
Glen Barber <gjb@FreeBSD.org> |
MFH: r280643-r281852
Sponsored by: The FreeBSD Foundation
|
#
3e217461 |
| 15-Apr-2015 |
Adrian Chadd <adrian@FreeBSD.org> |
Fix RSS build - netisr input / NETISR_IP_DIRECT is used here.
|
#
c047fd1b |
| 10-Apr-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o Use Jenkins hash. With previous hash, for a single source IP address and sequential IP ID case (e.g. ping -f), distribution fell into 8-10 buckets out of 64. With Jenkins hash, distribution is
o Use Jenkins hash. With previous hash, for a single source IP address and sequential IP ID case (e.g. ping -f), distribution fell into 8-10 buckets out of 64. With Jenkins hash, distribution is even. o Add random seed to the hash.
Sponsored by: Nginx, Inc.
show more ...
|
#
1dbefcc0 |
| 10-Apr-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Move all code related to IP fragment reassembly to ip_reass.c. Some function names have changed and comments are reformatted or added, but there is no functional change.
Claim copyright for me and
Move all code related to IP fragment reassembly to ip_reass.c. Some function names have changed and comments are reformatted or added, but there is no functional change.
Claim copyright for me and Adrian.
Sponsored by: Nginx, Inc.
show more ...
|