---
- branch: netbsd-8
  date: Mon May 14 19:22:30 UTC 2018
  files:
  - new: 1.24.8.2
    old: 1.24.8.1
    path: src/sys/net/npf/npf_alg_icmp.c
    pathrev: src/sys/net/npf/npf_alg_icmp.c@1.24.8.2
    type: modified
  - new: 1.37.6.2
    old: 1.37.6.1
    path: src/sys/net/npf/npf_inet.c
    pathrev: src/sys/net/npf/npf_inet.c@1.37.6.2
    type: modified
  - new: 1.16.8.2
    old: 1.16.8.1
    path: src/sys/net/npf/npf_sendpkt.c
    pathrev: src/sys/net/npf/npf_sendpkt.c@1.16.8.2
    type: modified
  id: 20180514T192230Z.5352aee9e6775071eb404c5b26f92a3efa92b0c8
  log: "Pull up following revision(s) (requested by maxv in ticket #823):\n\n\tsys/net/npf/npf_inet.c:
    revision 1.45-1.47\n\tsys/net/npf/npf_alg_icmp.c: revision 1.27-1.30\n\tsys/net/npf/npf_sendpkt.c:
    revision 1.19\n\nFix use-after-free.\n\nThe nbuf can be reallocated as a result
    of caching 'enpc', so it is\nnecessary to recache 'npc', otherwise it contains
    pointers to the freed\nmbuf - pointers which are then used in the ruleset machinery.\n\nWe
    recache 'npc' when we are sure we won't use 'enpc' anymore, because\n'enpc' can
    be clobbered as a result of caching 'npc' (in other words,\nonly one of the two
    can be cached at the same time).\nAlso, we recache 'npc' unconditionally, because
    there is no way to know\nwhether the nbuf got clobbered relatively to it. We can't
    use the\nNBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in
    the\ncache.\n\nDiscussed with rmind@.\n\nChange npf_cache_all so that it ensures
    the potential ICMP Query Id is in\nthe nbuf. In such a way that we don't need
    to ensure that later.\nChange npfa_icmp4_inspect and npfa_icmp6_inspect so that
    they touch neither\nthe nbuf nor npc. Adapt their callers accordingly.\n\nIn the
    end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave\nright away,
    without recaching npc (not needed since we didn't touch the\nnbuf).\n\nThis fixes
    the handling of Query Id packets (that I broke in my previous\ncommit), and also
    fixes another possible use-after-free.\n\nRetrieve the complete IPv4 header right
    away, and make sure we did retrieve\nthe IPv6 option header we were iterating
    on.\n\nAh, fix compilation. I tested my previous change by loading the kernel\nmodule
    from the filesystem, but the Makefile didn't have DIAGNOSTIC\nenabled, and the
    two KASSERTs I added did not compile properly.\n\nIf we fail to advance inside
    TCP/UDP/ICMPv4/ICMPv6, stop pretending L4\nis unknown, and error out right away.\n\nThis
    prevents bugs in machinery, if a place looks for L4 in 'npc_proto'\nwithout checking
    the cache too. I've seen a ~similar problem already.\n\nIn addition to checking
    L4 in the cache, here we also need to check the\nprotocol. The NPF entry point
    does not ensure that\n        ICMPv6 can be set only in IPv6\n        ICMPv4 can
    be set only in IPv4\nSo we could have ICMPv6 in IPv4.\n\napply some INET6 so this
    compiles in INET6-less kernels again.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/net/npf'
  unixtime: '1526325750'
  user: martin