Commit Graph

1934 Commits

Author SHA1 Message Date
maxv
36f08dfcb9 Don't forget to initialize 'sin6_len'. With kASan, from time to time the
value will be bigger than the size of the source, and we get a read
overflow. With kMSan the uninitialized access is detected immediately.

Reported-by: syzbot+841ca14baccec37b4f8f@syzkaller.appspotmail.com
2020-01-03 08:53:14 +00:00
msaitoh
53636c3c61 s/referece/reference/ in comment. 2019-12-27 10:17:56 +00:00
ozaki-r
a8d6848953 Get rid of unnecessary NULL checks for rt_ifa and ifa_ifp
They are always non-NULL nowadays.
2019-11-13 02:51:22 +00:00
maxv
624f3f7406 Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The
Rip6 entry point could see a garbage Hop6 option.

Not a big issue, since it's a clean panic only triggerable if the socket
has the IN6P_DSTOPTS/IN6P_RTHDR option.

Reported-by: syzbot+3b07b3511b4ceb8bf1e2@syzkaller.appspotmail.com
2019-11-12 08:11:55 +00:00
knakahara
93a28c822d Make global and per-interface ipsecif(4) pmtu tunable like gif(4).
And make hop limit tunable same as gif(4).

See http://mail-index.netbsd.org/source-changes/2019/10/30/msg110426.html
2019-11-01 04:28:14 +00:00
knakahara
c535599f70 Fix ipsecif(4) IPV6_MINMTU does not work correctly. 2019-11-01 04:23:21 +00:00
knakahara
70414ea5b8 Add sysctl nodes to control fragmentation with IPv[46] over IPv6 gif(4).
New sysctl node "net.inet6.ip6.gifpmtu" means
    - 0 (default)
      Fragment by IPV6_MMTU. All packets reach the destination certainly,
      however the long packet performance is poor.
      This is same behavior as before.
    - 1
      Fragment by outer interface's MTU. The long packet performance would
      be good, however the packets may be dropped in some network paths
      whose path MTU less than the interface's MTU.
    - others
      undefined yet

New sysctl node "net.interfaces.gif*.pmtu" means
    - -1 (default)
      Use system default value (net.inet6.ip6.gifpmtu).
    - 0
      Fragment by IPV6_MMTU for this gif(4) tunnel.
    - 1
      Fragment by outer interface's MTU for this gif(4) tunnel.
    - others
      undefined yet

See RFC4459 for more information and other solutions.
2019-10-30 03:45:59 +00:00
ozaki-r
5fd0d56def in6: reset the temporary address timer on a change of the interval period 2019-10-18 04:33:53 +00:00
msaitoh
c56890eeef s/initalize/initialize/ in comment or printf message. 2019-10-18 04:09:01 +00:00
ozaki-r
367904e3e7 Validate ip6_temp_preferred_lifetime (net.inet6.ip6.temppltime) on a change
ip6_temp_preferred_lifetime is used to calculate an interval period to
regenerate temporary addresse by
  TEMP_PREFERRED_LIFETIME - REGEN_ADVANCE - DESYNC_FACTOR
as per RFC 3041 3.5.  So it must be greater than (REGEN_ADVANCE +
DESYNC_FACTOR), otherwise it will be negative and go wrong, for example
KASSERT(to_ticks >= 0) in callout_schedule_locked fails.
2019-10-16 07:41:28 +00:00
ozaki-r
e32ddc921e Reorganize in6_tmpaddrtimer stuffs
- Move the related functions to where in6_tmpaddrtimer_ch exists
- Hide global variable in6_tmpaddrtimer_ch
- Rename ip6_init2 to in6_tmpaddrtimer_init
- Reduce callers of callout_reset
- Use callout_schedule
2019-10-16 07:40:40 +00:00
uwe
51ae856229 icmp6_notify_error - fix ctlfunc typedef to match pr_ctlinput,
drop the cast that is no longer necessary.
2019-10-06 02:30:58 +00:00
ozaki-r
760452d22f Make panic messages more informative 2019-09-25 09:53:37 +00:00
ozaki-r
042d1b5f86 Initialize DAD components properly
The original code initialized each component in non-init functions such as
arp_dad_start and nd6_dad_find, conditionally based on a global flag for each.
However, it was racy because the flag and the code around it were not
protected by a lock and could cause a kernel panic at worst.

Fix the issue by initializing the components in bootup as usual.
2019-09-25 09:52:32 +00:00
kamil
fb9540262a Remove __noubsan from in6_clearscope()
The alignment issues for x86 should be handled by
 - src/sys/arch/amd64/include/types.h r. 1.62 and
 - src/sys/arch/i386/include/types.h r. 1.90
2019-09-23 23:12:47 +00:00
kamil
a5df2084c7 Decorate in6_clearscope() with __noubsan
sys/netinet6/scope6.c:480:6,
member access within misaligned address 0xffff9457bc441286 for type
'struct in6_addr' which requires 4 byte alignment

This issue is caused by accessing non-__packed struct in __packed.
This is a[always?] false-positive reported by the sanitizer and there is no
clear non-invasive approach to handle this, without changing ABI of long
term existing code.

Reported-by: syzbot+b53a9bcf030288081e65@syzkaller.appspotmail.com
2019-09-20 14:53:24 +00:00
knakahara
2da350beca Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing.  Address this situation by having
just a pointer to a rtcache in a percpu storage instead.

Reviewed by ozaki-r@ and yamaguchi@
2019-09-19 06:07:24 +00:00
ozaki-r
2bcf5b2995 Apply some missing changes lost on the previous commit 2019-09-19 05:31:50 +00:00
ozaki-r
e524fb36a1 Avoid having a rtcache directly in a percpu storage
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing.  Address this situation by having
just a pointer to a rtcache in a percpu storage instead.

Reviewed by knakahara@ and yamaguchi@
2019-09-19 04:08:29 +00:00
ozaki-r
46a44af0f9 nd6: remove extra pserialize_read_exit 2019-09-18 08:18:05 +00:00
bouyer
183863f5f8 Packet filters can return an mbuf chain with fragmented headers, so
m_pullup() it if needed and remove the KASSERT()s.
2019-09-15 21:00:15 +00:00
kamil
4a75a43f8c Revert regression introduced in in6.h r. 1.95
----------------------------
revision 1.95
date: 2019-05-28 05:56:46 +0200;  author: kamil;  state: Exp;  lines: +2 -2;  commitid: YrUzDYl5zfcjiVoB;
Decorate struct in6_addr with the __packed attribute

This avoids undefined behavior when accessing misaligned pointers.

Detected by kUBSan.

Patch by Akul Pillai.
----------------------------

This change caused regression in at least qemu and addresses potential binary ABI breakage.

Fixes PR/54523 by <gson>
2019-09-05 20:17:27 +00:00
roy
ca7497cb84 inet6: Re-introduce ND6_LLINFO_WAITDELETE so we can return EHOSTDOWN
Once we've sent nd6_mmaxtries NS messages, send RTM_MISS and move to the
ND6_LLINFO_WAITDELETE state rather than freeing the llentry right away.
Wait for a probe cycle and then free the llentry.

If a connection attempts to re-use the llentry during ND6_LLINFO_WAITDELETE,
return EHOSTDOWN (or EHOSTUNREACH if a gateway) to match inet behaviour.
Continue to ND6_LLINFO_INCOMPLETE and send another NS probe in hope of a
reply. Rinse and repeat.

This reverts part of nd6.c r1.14 - an 18 year old commit!
2019-09-01 19:26:21 +00:00
roy
ca19b5765e inet6: Send RTM_MISS when we fail to resolve an address.
Takes the same approach as when adding a new address - we no longer
announce the new lladdr right away but we announce the result.
This will either be RTM_ADD or RTM_MISS.
RTM_DELETE is only sent if we have a lladdr assigned OR gc'ed.

This results in less messages via route(4) and tells us when a new
lladdr has been added (RTM_ADD), changed (RTM_CHANGE), deleted (RTM_DELETED)
or has failed to been resolved (RTM_MISS). The latter case can be
interpreted as unreachable.
2019-09-01 18:54:38 +00:00
roy
b8c808c559 inet6: don't set an invalid lladdr in nd6_free()
We don't want to announce that we've deleted a hwaddr of all zeros.
2019-08-31 01:49:45 +00:00
roy
511e6e8266 inet6: Revert prior
It's not needed, listing to RA is enough as discussed on tech-net.
2019-08-30 08:40:25 +00:00
roy
4b9c1dc098 Userland really has no business with NA messages.
However, RFC 4861 6.2.5 only says departing routers
*SHOULD* send RA with lifetime of zero and *MUST*
send all subsequent NA messages if the router flag
unset.

To help userland avoid the expensive process of
parsing NA messages, send RTM_CHANGE without a
lladdr in the gateway.
This is different from the intial RTM_ADD also
without a lladdr in the gateway and RTM_DELETE.
2019-08-29 16:26:43 +00:00
roy
a1b7f5f1b5 more bool 2019-08-29 14:28:06 +00:00
roy
93098ee1d3 inet6: change rt_announce and llchange to bool in nd6_na_input() 2019-08-29 14:26:55 +00:00
roy
96c00c9b51 inet6: nd6_free assumes all routers are processed by kernel RA
This hasn't been the case for a long time if you're a dhcpcd
user with a default config. As such, it's possible for the default
IPv6 router as set by dhcpcd could be erroneously gc'ed by nd6_free.

This reduces the scope of the ND6_WLOCK taken as well as fixing an
issue where we write to ln->ln_state without a lock being held.
2019-08-27 21:11:26 +00:00
roy
ece8d0874e nd6: notify userland of neighbour lla updates once more
XXX pullup -8 -9
2019-08-22 21:22:50 +00:00
roy
508a301f81 rtsock: rework rt_clonedmsg to take a message type and lladdr
We will use this in a future patch to notify userland of lladdr
changes.

XXX pullup -8 -9
2019-08-22 21:14:45 +00:00
ozaki-r
bf98d6f362 Add missing IFNET_LOCK for regen_tmpaddr
Reported by ryo@
2019-08-14 08:34:44 +00:00
christos
7e26066147 add forward decl 2019-08-05 10:25:41 +00:00
christos
66f5ac85f3 Decrease the reference count before freeing, so that the entries actually
get free'd. (Ryota Ozaki)
2019-07-26 10:18:42 +00:00
msaitoh
d4a37f7caf Fix typo in comment (s/alreay/already/). 2019-07-24 02:38:29 +00:00
ozaki-r
0ec6d93dcf nd6: restore a missing reachability confirmation
On sending a packet over a STALE cache, the cache should be tried a reachability
confirmation, which is described in RFC 2461/4861 7.3.3.  On the fast path in
nd6_resolve, however, the treatment for STALE caches has been skipped
accidentally.  So STALE caches never be back to the REACHABLE state.

To fix the issue, branch to the fast path only when the cache entry is the
REACHABLE state and leave other caches to the slow path that includes the
treatment.  To this end we need to allow to return a link-layer address if a
valid address is available on the slow path too, which is the same behavior as
FreeBSD and OpenBSD.
2019-06-28 06:45:16 +00:00
rjs
8e33725173 Split out the prototypes for add/delete address into a separate header file. 2019-06-25 15:33:55 +00:00
kamil
5762fe1be2 Decorate struct in6_addr with the __packed attribute
This avoids undefined behavior when accessing misaligned pointers.

Detected by kUBSan.

Patch by Akul Pillai.
2019-05-28 03:56:46 +00:00
ozaki-r
6c6d1e4f71 Get rid of IFNET_LOCK for if_mcast_op to avoid a deadlock
The IFNET_LOCK was added to avoid data races on if_flags for IFF_ALLMULTI.
Unfortunatetly it caused a deadlock instead.  A known scenario causing a
deadlock is to occur the following two operations concurrently: (a) a removal of
an IP adddres assigned to an interface and (b) a manipulation of multicast
groups to the interface.  The resource dependency graph is like this:
  softnet_lock => IFNET_LOCK => psref_target_destroy => softint => softnet_lock

Thanks to the previous commit that avoids data races on if_flags for
IFF_ALLMULTI by another approach, we can remove IFNET_LOCK and defuse the
deadlock.

PR kern/54189
2019-05-15 02:59:18 +00:00
ozaki-r
6d8eb4f9d2 Count packets dropped by pfil 2019-05-13 07:47:59 +00:00
christos
45108122b9 print the name of the interface that was disabled. 2019-05-13 02:03:07 +00:00
roy
2e9156b7e4 Introduce rt_addrmsg_src which adds RTA_AUTHOR to the message.
Use this when we notify userland of a duplicate address
and set RTA_AUTHOR to the hardware address of the sender.

While here, match the logging diagnostic of INET6 to the simpler one
of INET so it's consistent.
2019-04-29 16:12:30 +00:00
roy
4af7afb834 rtsock: Route address message simplification
Rename rt_newaddrmsg to rt_addrmsg_rt.
Add rt_addrmsg which drops the error and route arguments which are only
needed by one caller.
2019-04-29 11:57:22 +00:00
maxv
2d90f583ce Fix small read overflow; harmless, because since I removed RH0, the memory
access on IPV6_RTHDR that would normally be illegal is not needed, and GCC
automatically removes it.
2019-04-03 19:23:38 +00:00
msaitoh
b1b254e088 Fix typos in comment:
- s/paylaod/payload/
- s/dstination/destination/
2019-03-19 13:38:53 +00:00
msaitoh
ad2fa80c12 s/pakcet/packet/ in comment. 2019-03-18 11:38:03 +00:00
maxv
fa4f0f3678 Fix the order in udp6_attach: soreserve should be called before
in6_pcballoc, otherwise if it fails there is still a PCB attached, and
we hit a KASSERT in socreate. In !DIAGNOSTIC this would have caused a
memory leak.

By the way I find the splsoftnet highly suspicious, in6_pcballoc already
does that.

Triggered by SyzKaller.

Reported-by: syzbot+7bace612ca3cc3e124f8@syzkaller.appspotmail.com
2019-02-25 07:31:32 +00:00
maxv
d020c71c0c RIP6, CAN, SCTP and SCTP6 lack a length check in their _send() functions.
Fix RIP6 and CAN, add a big XXX in the SCTP ones.

Found by KASAN, triggered by SyzKaller.

Reported-by: syzbot+0b9692ae0f49f93b7dc7@syzkaller.appspotmail.com
2019-02-25 06:49:44 +00:00
maxv
d26f60da72 RIP, RIP6, DDP, SCTP and SCTP6 lack a length check in their _connect()
functions. Fix the first three, and add a big XXX in the SCTP ones.

Found by KASAN, triggered by SyzKaller.

Reported-by: syzbot+9eaf98dad6ca738c250d@syzkaller.appspotmail.com
2019-02-24 07:20:33 +00:00