Tue Jan 24 18:37:20 2017 UTC ()
Don't forget to free the mbuf when we decide not to reply to an ARP
request. This obviously is a terrible bug, since it allows a remote sender
to DoS the system with specially-crafted requests sent in a loop.


(maxv)
diff -r1.75 -r1.76 src/sys/net/if_arcsubr.c
diff -r1.49 -r1.50 src/sys/net/if_ecosubr.c
diff -r1.235 -r1.236 src/sys/net/if_ethersubr.c
diff -r1.103 -r1.104 src/sys/net/if_fddisubr.c
diff -r1.79 -r1.80 src/sys/net/if_tokensubr.c
cvs diff -r1.75 -r1.76 src/sys/net/if_arcsubr.c (expand / switch to context diff)
--- src/sys/net/if_arcsubr.c 2017/01/11 13:08:29 1.75
+++ src/sys/net/if_arcsubr.c 2017/01/24 18:37:20 1.76
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_arcsubr.c,v 1.75 2017/01/11 13:08:29 ozaki-r Exp $	*/
+/*	$NetBSD: if_arcsubr.c,v 1.76 2017/01/24 18:37:20 maxv Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Ignatios Souvatzis
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_arcsubr.c,v 1.75 2017/01/11 13:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arcsubr.c,v 1.76 2017/01/24 18:37:20 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -171,8 +171,10 @@
 			adst = arcbroadcastaddr;
 		else {
 			uint8_t *tha = ar_tha(arph);
-			if (tha == NULL)
+			if (tha == NULL) {
+				m_freem(m);
 				return 0;
+			}
 			adst = *tha;
 		}
cvs diff -r1.49 -r1.50 src/sys/net/Attic/if_ecosubr.c (expand / switch to context diff)
--- src/sys/net/Attic/if_ecosubr.c 2016/10/03 11:06:06 1.49
+++ src/sys/net/Attic/if_ecosubr.c 2017/01/24 18:37:20 1.50
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ecosubr.c,v 1.49 2016/10/03 11:06:06 ozaki-r Exp $	*/
+/*	$NetBSD: if_ecosubr.c,v 1.50 2017/01/24 18:37:20 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2001 Ben Harris
@@ -58,7 +58,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ecosubr.c,v 1.49 2016/10/03 11:06:06 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ecosubr.c,v 1.50 2017/01/24 18:37:20 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -210,8 +210,10 @@
 	case AF_ARP:
 		ah = mtod(m, struct arphdr *);
 
-		if (ntohs(ah->ar_pro) != ETHERTYPE_IP)
-			return EAFNOSUPPORT;
+		if (ntohs(ah->ar_pro) != ETHERTYPE_IP) {
+			error = EAFNOSUPPORT;
+			goto bad;
+		}
 		ehdr.eco_port = ECO_PORT_IP;
 		switch (ntohs(ah->ar_op)) {
 		case ARPOP_REQUEST:
@@ -221,7 +223,8 @@
 			ehdr.eco_control = ECO_CTL_ARP_REPLY;
 			break;
 		default:
-			return EOPNOTSUPP;
+			error = EOPNOTSUPP;
+			goto bad;
 		}
 
 		if (m->m_flags & M_BCAST)
@@ -229,8 +232,10 @@
 			    ECO_ADDR_LEN);
 		else {
 			tha = ar_tha(ah);
-			if (tha == NULL)
+			if (tha == NULL) {
+				m_freem(m);
 				return 0;
+			}
 			memcpy(ehdr.eco_dhost, tha, ECO_ADDR_LEN);
 		}
cvs diff -r1.235 -r1.236 src/sys/net/if_ethersubr.c (expand / switch to context diff)
--- src/sys/net/if_ethersubr.c 2017/01/13 06:11:56 1.235
+++ src/sys/net/if_ethersubr.c 2017/01/24 18:37:20 1.236
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ethersubr.c,v 1.235 2017/01/13 06:11:56 msaitoh Exp $	*/
+/*	$NetBSD: if_ethersubr.c,v 1.236 2017/01/24 18:37:20 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.235 2017/01/13 06:11:56 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.236 2017/01/24 18:37:20 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -279,6 +279,7 @@
 
 			if (tha == NULL) {
 				/* fake with ARPHDR_IEEE1394 */
+				m_freem(m);
 				return 0;
 			}
 			memcpy(edst, tha, sizeof(edst));
cvs diff -r1.103 -r1.104 src/sys/net/Attic/if_fddisubr.c (expand / switch to context diff)
--- src/sys/net/Attic/if_fddisubr.c 2017/01/11 13:08:29 1.103
+++ src/sys/net/Attic/if_fddisubr.c 2017/01/24 18:37:20 1.104
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_fddisubr.c,v 1.103 2017/01/11 13:08:29 ozaki-r Exp $	*/
+/*	$NetBSD: if_fddisubr.c,v 1.104 2017/01/24 18:37:20 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -96,7 +96,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_fddisubr.c,v 1.103 2017/01/11 13:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_fddisubr.c,v 1.104 2017/01/24 18:37:20 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -261,11 +261,13 @@
 	case AF_ARP: {
 		struct arphdr *ah = mtod(m, struct arphdr *);
 		if (m->m_flags & M_BCAST)
-                	memcpy(edst, etherbroadcastaddr, sizeof(edst));
+			memcpy(edst, etherbroadcastaddr, sizeof(edst));
 		else {
 			void *tha = ar_tha(ah);
-			if (tha == NULL)
+			if (tha == NULL) {
+				m_freem(m);
 				return 0;
+			}
 			memcpy(edst, tha, sizeof(edst));
 		}
cvs diff -r1.79 -r1.80 src/sys/net/Attic/if_tokensubr.c (expand / switch to context diff)
--- src/sys/net/Attic/if_tokensubr.c 2017/01/11 13:08:29 1.79
+++ src/sys/net/Attic/if_tokensubr.c 2017/01/24 18:37:20 1.80
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_tokensubr.c,v 1.79 2017/01/11 13:08:29 ozaki-r Exp $	*/
+/*	$NetBSD: if_tokensubr.c,v 1.80 2017/01/24 18:37:20 maxv Exp $	*/
 
 /*
  * Copyright (c) 1982, 1989, 1993
@@ -92,7 +92,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_tokensubr.c,v 1.79 2017/01/11 13:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_tokensubr.c,v 1.80 2017/01/24 18:37:20 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -267,8 +267,10 @@
 		}
 		else {
 			void *tha = ar_tha(ah);
-			if (tha == NULL)
+			if (tha == NULL) {
+				m_freem(m);
 				return 0;
+			}
 			memcpy(edst, tha, sizeof(edst));
 			trh = (struct token_header *)M_TRHSTART(m);
 			trh->token_ac = TOKEN_AC;