History log of /freebsd/sys/netinet/ip_reass.c (Results 26 – 48 of 48)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 04f44499 22-Apr-2019 Hans Petter Selasky <hselasky@FreeBSD.org>

Fix build for mips and powerpc after r346530.

Need to include sys/kernel.h to define SYSINIT() which is used
by sys/eventhandler.h .

MFC after: 1 week
Sponsored by: Mellanox Technologies


# 40eb3896 22-Apr-2019 Hans Petter Selasky <hselasky@FreeBSD.org>

Fix panic in network stack due to memory use after free in relation to
fragmented packets.

When sending IPv4 and IPv6 fragmented packets and a fragment is lost,
the mbuf making up the fragment will

Fix panic in network stack due to memory use after free in relation to
fragmented packets.

When sending IPv4 and IPv6 fragmented packets and a fragment is lost,
the mbuf making up the fragment will remain in the temporary hashed
fragment list for a while. If the network interface departs before the
so-called slow timeout clears the packet, the fragment causes a panic
when the timeout kicks in due to accessing a freed network interface
structure.

Make sure that when a network device is departing, all hashed IPv4 and
IPv6 fragments belonging to it, get freed.

Backtrace:
panic()
icmp6_reflect()

hlim = ND_IFINFO(m->m_pkthdr.rcvif)->chlim;
^^^^ rcvif->if_afdata[AF_INET6] is NULL.

icmp6_error()
frag6_freef()
frag6_slowtimo()
pfslowtimo()
softclock_call_cc()
softclock()
ithread_loop()

Differential Revision: https://reviews.freebsd.org/D19622
Reviewed by: bz (network), adrian
MFC after: 1 week
Sponsored by: Mellanox Technologies

show more ...


Revision tags: release/12.0.0
# 3d5db455 24-Nov-2018 Dimitry Andric <dim@FreeBSD.org>

Merge ^/head r340427 through r340868.


# 2157f3c3 16-Nov-2018 Jonathan T. Looney <jtl@FreeBSD.org>

Add some additional length checks to the IPv4 fragmentation code.

Specifically, block 0-length fragments, even when the MF bit is clear.
Also, ensure that every fragment with the MF bit clear ends a

Add some additional length checks to the IPv4 fragmentation code.

Specifically, block 0-length fragments, even when the MF bit is clear.
Also, ensure that every fragment with the MF bit clear ends at the same
offset and that no subsequently-received fragments exceed that offset.

Reviewed by: glebius, markj
MFC after: 3 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D17922

show more ...


# 9b5cb2f6 12-Nov-2018 Dimitry Andric <dim@FreeBSD.org>

Merge ^/head r340235 through r340367.


# 86af1d02 10-Nov-2018 Mark Johnston <markj@FreeBSD.org>

Ensure that IP fragments do not extend beyond IP_MAXPACKET.

Such fragments are obviously invalid, and when processed may end up
violating the sort order (by offset) of fragments of a given packet.
T

Ensure that IP fragments do not extend beyond IP_MAXPACKET.

Such fragments are obviously invalid, and when processed may end up
violating the sort order (by offset) of fragments of a given packet.
This doesn't appear to be exploitable, however.

Reviewed by: emaste
Discussed with: jtl
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17914

show more ...


# 3611ec60 18-Aug-2018 Dimitry Andric <dim@FreeBSD.org>

Merge ^/head r337646 through r338014.


# a967df1c 14-Aug-2018 Jonathan T. Looney <jtl@FreeBSD.org>

Lower the default limits on the IPv4 reassembly queue.

In particular, try to ensure that no bucket will have a reassembly
queue larger than approximately 100 items. This limits the cost to
find the

Lower the default limits on the IPv4 reassembly queue.

In particular, try to ensure that no bucket will have a reassembly
queue larger than approximately 100 items. This limits the cost to
find the correct reassembly queue when processing an incoming
fragment.

Due to the low limits on each bucket's length, increase the size of
the hash table from 64 to 1024.

Reviewed by: jhb
Security: FreeBSD-SA-18:10.ip
Security: CVE-2018-6923

show more ...


# ff790bba 14-Aug-2018 Jonathan T. Looney <jtl@FreeBSD.org>

Implement a limit on on the number of IPv4 reassembly queues per bucket.

There is a hashing algorithm which should distribute IPv4 reassembly
queues across the available buckets in a relatively even

Implement a limit on on the number of IPv4 reassembly queues per bucket.

There is a hashing algorithm which should distribute IPv4 reassembly
queues across the available buckets in a relatively even way. However,
if there is a flaw in the hashing algorithm which allows a large number
of IPv4 fragment reassembly queues to end up in a single bucket, a per-
bucket limit could help mitigate the performance impact of this flaw.

Implement such a limit, with a default of twice the maximum number of
reassembly queues divided by the number of buckets. Recalculate the
limit any time the maximum number of reassembly queues changes.
However, allow the user to override the value using a sysctl
(net.inet.ip.maxfragbucketsize).

Reviewed by: jhb
Security: FreeBSD-SA-18:10.ip
Security: CVE-2018-6923

show more ...


# 7b9c5eb0 14-Aug-2018 Jonathan T. Looney <jtl@FreeBSD.org>

Add a global limit on the number of IPv4 fragments.

The IP reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on

Add a global limit on the number of IPv4 fragments.

The IP reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on a per-VNET basis. Given enough VNETs (or given sufficient customization
of enough VNETs), it is possible that the sum of all the VNET limits
will exceed the number of mbuf clusters available in the system.

Given the fact that the fragment limit is intended (at least in part) to
regulate access to a global resource, the fragment limit should
be applied on a global basis.

VNET-specific limits can be adjusted by modifying the
net.inet.ip.maxfragpackets and net.inet.ip.maxfragsperpacket
sysctls.

To disable fragment reassembly globally, set net.inet.ip.maxfrags to 0.
To disable fragment reassembly for a particular VNET, set
net.inet.ip.maxfragpackets to 0.

Reviewed by: jhb
Security: FreeBSD-SA-18:10.ip
Security: CVE-2018-6923

show more ...


# 5d9bd455 14-Aug-2018 Jonathan T. Looney <jtl@FreeBSD.org>

Improve hashing of IPv4 fragments.

Currently, IPv4 fragments are hashed into buckets based on a 32-bit
key which is calculated by (src_ip ^ ip_id) and combined with a random
seed. However, because a

Improve hashing of IPv4 fragments.

Currently, IPv4 fragments are hashed into buckets based on a 32-bit
key which is calculated by (src_ip ^ ip_id) and combined with a random
seed. However, because an attacker can control the values of src_ip
and ip_id, it is possible to construct an attack which causes very
deep chains to form in a given bucket.

To ensure more uniform distribution (and lower predictability for
an attacker), calculate the hash based on a key which includes all
the fields we use to identify a reassembly queue (dst_ip, src_ip,
ip_id, and the ip protocol) as well as a random seed.

Reviewed by: jhb
Security: FreeBSD-SA-18:10.ip
Security: CVE-2018-6923

show more ...


# 14b841d4 11-Aug-2018 Kyle Evans <kevans@FreeBSD.org>

MFH @ r337607, in preparation for boarding


# 5f901c92 24-Jul-2018 Andrew Turner <andrew@FreeBSD.org>

Use the new VNET_DEFINE_STATIC macro when we are defining static VNET
variables.

Reviewed by: bz
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16147


Revision tags: release/11.2.0
# 09b0b8c0 24-Jan-2018 Navdeep Parhar <np@FreeBSD.org>

Do not generate illegal mbuf chains during IP fragment reassembly. Only
the first mbuf of the reassembled datagram should have a pkthdr.

This was discovered with cxgbe(4) + IPSEC + ping with payloa

Do not generate illegal mbuf chains during IP fragment reassembly. Only
the first mbuf of the reassembled datagram should have a pkthdr.

This was discovered with cxgbe(4) + IPSEC + ping with payload more than
interface MTU. cxgbe can generate !M_WRITEABLE mbufs and this results
in m_unshare being called on the reassembled datagram, and it complains:

panic: m_unshare: m0 0xfffff80020f82600, m 0xfffff8005d054100 has M_PKTHDR

PR: 224922
Reviewed by: ae@
MFC after: 1 week
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D14009

show more ...


Revision tags: release/10.4.0, release/11.1.0
# 348238db 01-Mar-2017 Dimitry Andric <dim@FreeBSD.org>

Merge ^/head r314420 through r314481.


# fbbd9655 01-Mar-2017 Warner Losh <imp@FreeBSD.org>

Renumber copyright clause 4

Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is

Renumber copyright clause 4

Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96

show more ...


Revision tags: release/11.0.1, release/11.0.0, release/10.3.0, release/10.2.0
# 416ba5c7 22-Jun-2015 Navdeep Parhar <np@FreeBSD.org>

Catch up with HEAD (r280229-r284686).


# 98e0ffae 27-May-2015 Simon J. Gerraty <sjg@FreeBSD.org>

Merge sync of head


# 7757a1b4 03-May-2015 Baptiste Daroussin <bapt@FreeBSD.org>

Merge from head


# 7263c8c0 22-Apr-2015 Glen Barber <gjb@FreeBSD.org>

MFH: r280643-r281852

Sponsored by: The FreeBSD Foundation


# 3e217461 15-Apr-2015 Adrian Chadd <adrian@FreeBSD.org>

Fix RSS build - netisr input / NETISR_IP_DIRECT is used here.


# c047fd1b 10-Apr-2015 Gleb Smirnoff <glebius@FreeBSD.org>

o Use Jenkins hash. With previous hash, for a single source IP address and
sequential IP ID case (e.g. ping -f), distribution fell into 8-10 buckets
out of 64. With Jenkins hash, distribution is

o Use Jenkins hash. With previous hash, for a single source IP address and
sequential IP ID case (e.g. ping -f), distribution fell into 8-10 buckets
out of 64. With Jenkins hash, distribution is even.
o Add random seed to the hash.

Sponsored by: Nginx, Inc.

show more ...


# 1dbefcc0 10-Apr-2015 Gleb Smirnoff <glebius@FreeBSD.org>

Move all code related to IP fragment reassembly to ip_reass.c. Some
function names have changed and comments are reformatted or added, but
there is no functional change.

Claim copyright for me and

Move all code related to IP fragment reassembly to ip_reass.c. Some
function names have changed and comments are reformatted or added, but
there is no functional change.

Claim copyright for me and Adrian.

Sponsored by: Nginx, Inc.

show more ...


12