Thu Apr 23 13:31:43 2020 UTC ()
Pull up following revision(s) (requested by roy in ticket #845):

	sys/netinet6/nd6_nbr.c: revision 1.178

inet6: nd6_na_input() now considers ln_state <= ND6_LLINFO_INCOMPLETE

Otherwise if ln_state != ND6_LLINFO_INCOMPLETE and the is no lladdr
and this message was solicited then ln_state is set to ND6_LLINFO_REACHABLE
which could then cause a panic in nd6_resolve().

If ln_state > ND6_LLINFO_INCOMPLETE then it's assumed we have a lladdr.
Potentially this could have been triggered by the introduction of
ND6_LLINFO_PURGE in nd6.c r1.143 but also by the re-introduction of
ND6_LLINFO_INCOMPLETE in nd6.c r1.263.

Depending on the timing, it's technically possible to receive such
a message after the llentry is created with ND6_LLINFO_NOSTATE.


(martin)
diff -r1.166.2.4 -r1.166.2.5 src/sys/netinet6/nd6_nbr.c
cvs diff -r1.166.2.4 -r1.166.2.5 src/sys/netinet6/nd6_nbr.c (expand / switch to unified diff)

--- src/sys/netinet6/nd6_nbr.c 2019/09/30 15:55:40 1.166.2.4
+++ src/sys/netinet6/nd6_nbr.c 2020/04/23 13:31:43 1.166.2.5
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: nd6_nbr.c,v 1.166.2.4 2019/09/30 15:55:40 martin Exp $ */ 1/* $NetBSD: nd6_nbr.c,v 1.166.2.5 2020/04/23 13:31:43 martin Exp $ */
2/* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ 2/* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */
3 3
4/* 4/*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
10 * are met: 10 * are met:
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright 13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the 14 * notice, this list of conditions and the following disclaimer in the
@@ -21,27 +21,27 @@ @@ -21,27 +21,27 @@
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE. 30 * SUCH DAMAGE.
31 */ 31 */
32 32
33#include <sys/cdefs.h> 33#include <sys/cdefs.h>
34__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.166.2.4 2019/09/30 15:55:40 martin Exp $"); 34__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.166.2.5 2020/04/23 13:31:43 martin Exp $");
35 35
36#ifdef _KERNEL_OPT 36#ifdef _KERNEL_OPT
37#include "opt_inet.h" 37#include "opt_inet.h"
38#include "opt_net_mpsafe.h" 38#include "opt_net_mpsafe.h"
39#endif 39#endif
40 40
41#include <sys/param.h> 41#include <sys/param.h>
42#include <sys/systm.h> 42#include <sys/systm.h>
43#include <sys/kmem.h> 43#include <sys/kmem.h>
44#include <sys/mbuf.h> 44#include <sys/mbuf.h>
45#include <sys/socket.h> 45#include <sys/socket.h>
46#include <sys/socketvar.h> 46#include <sys/socketvar.h>
47#include <sys/sockio.h> 47#include <sys/sockio.h>
@@ -725,27 +725,27 @@ nd6_na_input(struct mbuf *m, int off, in @@ -725,27 +725,27 @@ nd6_na_input(struct mbuf *m, int off, in
725 IN6_PRINT(ip6buf, &saddr6), if_name(ifp)); 725 IN6_PRINT(ip6buf, &saddr6), if_name(ifp));
726 goto bad; 726 goto bad;
727 } 727 }
728 728
729 /* 729 /*
730 * If no neighbor cache entry is found, NA SHOULD silently be 730 * If no neighbor cache entry is found, NA SHOULD silently be
731 * discarded. 731 * discarded.
732 */ 732 */
733 ln = nd6_lookup(&taddr6, ifp, true); 733 ln = nd6_lookup(&taddr6, ifp, true);
734 if (ln == NULL) 734 if (ln == NULL)
735 goto freeit; 735 goto freeit;
736 736
737 rt_cmd = 0; 737 rt_cmd = 0;
738 if (ln->ln_state == ND6_LLINFO_INCOMPLETE) { 738 if (ln->ln_state <= ND6_LLINFO_INCOMPLETE) {
739 /* 739 /*
740 * If the link-layer has address, and no lladdr option came, 740 * If the link-layer has address, and no lladdr option came,
741 * discard the packet. 741 * discard the packet.
742 */ 742 */
743 if (ifp->if_addrlen && !lladdr) 743 if (ifp->if_addrlen && !lladdr)
744 goto freeit; 744 goto freeit;
745 745
746 /* 746 /*
747 * Record link-layer address, and update the state. 747 * Record link-layer address, and update the state.
748 */ 748 */
749 memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen); 749 memcpy(&ln->ll_addr, lladdr, ifp->if_addrlen);
750 ln->la_flags |= LLE_VALID; 750 ln->la_flags |= LLE_VALID;
751 rt_cmd = RTM_ADD; 751 rt_cmd = RTM_ADD;