Tue Mar 13 16:43:06 2018 UTC ()
Pull up following revision(s) (requested by ozaki-r in ticket #1518):
	sys/netinet6/ip6_forward.c: 1.89-1.90 via patch
Fix use-after-free of mbuf by ip6flow_create
This fixes recent failures of some ATF tests such as t_ipsec_tunnel_odd.
--
Fix use-after-free of mbuf by ip6flow_create (one more)


(snj)
diff -r1.69 -r1.69.2.1 src/sys/netinet6/ip6_forward.c
cvs diff -r1.69 -r1.69.2.1 src/sys/netinet6/ip6_forward.c (expand / switch to unified diff)

--- src/sys/netinet6/ip6_forward.c 2011/12/19 11:59:58 1.69
+++ src/sys/netinet6/ip6_forward.c 2018/03/13 16:43:06 1.69.2.1
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $ */ 1/* $NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $ */
2/* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */ 2/* $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $ */
3 3
4/* 4/*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
10 * are met: 10 * are met:
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright 13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the 14 * notice, this list of conditions and the following disclaimer in the
@@ -21,27 +21,27 @@ @@ -21,27 +21,27 @@
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE. 30 * SUCH DAMAGE.
31 */ 31 */
32 32
33#include <sys/cdefs.h> 33#include <sys/cdefs.h>
34__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $"); 34__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69.2.1 2018/03/13 16:43:06 snj Exp $");
35 35
36#include "opt_gateway.h" 36#include "opt_gateway.h"
37#include "opt_ipsec.h" 37#include "opt_ipsec.h"
38#include "opt_pfil_hooks.h" 38#include "opt_pfil_hooks.h"
39 39
40#include <sys/param.h> 40#include <sys/param.h>
41#include <sys/systm.h> 41#include <sys/systm.h>
42#include <sys/malloc.h> 42#include <sys/malloc.h>
43#include <sys/mbuf.h> 43#include <sys/mbuf.h>
44#include <sys/domain.h> 44#include <sys/domain.h>
45#include <sys/protosw.h> 45#include <sys/protosw.h>
46#include <sys/socket.h> 46#include <sys/socket.h>
47#include <sys/errno.h> 47#include <sys/errno.h>
@@ -635,28 +635,28 @@ ip6_forward(struct mbuf *m, int srcrt) @@ -635,28 +635,28 @@ ip6_forward(struct mbuf *m, int srcrt)
635#endif /* PFIL_HOOKS */ 635#endif /* PFIL_HOOKS */
636 636
637 error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); 637 error = nd6_output(rt->rt_ifp, origifp, m, dst, rt);
638 if (error) { 638 if (error) {
639 in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard); 639 in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard);
640 IP6_STATINC(IP6_STAT_CANTFORWARD); 640 IP6_STATINC(IP6_STAT_CANTFORWARD);
641 } else { 641 } else {
642 IP6_STATINC(IP6_STAT_FORWARD); 642 IP6_STATINC(IP6_STAT_FORWARD);
643 in6_ifstat_inc(rt->rt_ifp, ifs6_out_forward); 643 in6_ifstat_inc(rt->rt_ifp, ifs6_out_forward);
644 if (type) 644 if (type)
645 IP6_STATINC(IP6_STAT_REDIRECTSENT); 645 IP6_STATINC(IP6_STAT_REDIRECTSENT);
646 else { 646 else {
647#ifdef GATEWAY 647#ifdef GATEWAY
648 if (m->m_flags & M_CANFASTFWD) 648 if (mcopy->m_flags & M_CANFASTFWD)
649 ip6flow_create(&ip6_forward_rt, m); 649 ip6flow_create(&ip6_forward_rt, mcopy);
650#endif 650#endif
651 if (mcopy) 651 if (mcopy)
652 goto freecopy; 652 goto freecopy;
653 } 653 }
654 } 654 }
655 655
656#ifdef PFIL_HOOKS 656#ifdef PFIL_HOOKS
657 senderr: 657 senderr:
658#endif 658#endif
659 if (mcopy == NULL) 659 if (mcopy == NULL)
660 return; 660 return;
661 switch (error) { 661 switch (error) {
662 case 0: 662 case 0: