CVS commit: src/sys/netinet6

Tue, 29 Aug 2023 10:01:50 -0700 

Module Name:    src
Committed By:   christos
Date:           Tue Aug 29 17:01:35 UTC 2023

Modified Files:
        src/sys/netinet6: frag6.c

Log Message:
Add a check for FreeBSD-SA-23:06.ipv6, although it is not reproducible for us.
factor out code copied 3 times (and now would have been a 4th)


To generate a diff of this commit:
cvs rdiff -u -r1.76 -r1.77 src/sys/netinet6/frag6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet6/frag6.c
diff -u src/sys/netinet6/frag6.c:1.76 src/sys/netinet6/frag6.c:1.77
--- src/sys/netinet6/frag6.c:1.76	Fri Oct 21 05:21:17 2022
+++ src/sys/netinet6/frag6.c	Tue Aug 29 13:01:35 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: frag6.c,v 1.76 2022/10/21 09:21:17 ozaki-r Exp $	*/
+/*	$NetBSD: frag6.c,v 1.77 2023/08/29 17:01:35 christos Exp $	*/
 /*	$KAME: frag6.c,v 1.40 2002/05/27 21:40:31 itojun Exp $	*/
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.76 2022/10/21 09:21:17 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: frag6.c,v 1.77 2023/08/29 17:01:35 christos Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_net_mpsafe.h"
@@ -120,6 +120,15 @@ frag6_init(void)
 	mutex_init(&frag6_lock, MUTEX_DEFAULT, IPL_NONE);
 }
 
+static void
+frag6_dropfrag(struct ip6q *q6)
+{
+	frag6_remque(q6);
+	frag6_nfrags -= q6->ip6q_nfrag;
+	kmem_intr_free(q6, sizeof(*q6));
+	frag6_nfragpackets--;
+}
+
 /*
  * IPv6 fragment input.
  *
@@ -456,8 +465,13 @@ insert:
 	/* adjust offset to point where the original next header starts */
 	offset = ip6af->ip6af_offset - sizeof(struct ip6_frag);
 	kmem_intr_free(ip6af, sizeof(struct ip6asfrag));
+	next += offset - sizeof(struct ip6_hdr);
+	if ((u_int)next > IPV6_MAXPACKET) {
+		frag6_dropfrag(q6);
+		goto dropfrag;
+	}
 	ip6 = mtod(m, struct ip6_hdr *);
-	ip6->ip6_plen = htons(next + offset - sizeof(struct ip6_hdr));
+	ip6->ip6_plen = htons(next);
 	ip6->ip6_src = q6->ip6q_src;
 	ip6->ip6_dst = q6->ip6q_dst;
 	nxt = q6->ip6q_nxt;
@@ -472,20 +486,14 @@ insert:
 	} else {
 		/* this comes with no copy if the boundary is on cluster */
 		if ((t = m_split(m, offset, M_DONTWAIT)) == NULL) {
-			frag6_remque(q6);
-			frag6_nfrags -= q6->ip6q_nfrag;
-			kmem_intr_free(q6, sizeof(struct ip6q));
-			frag6_nfragpackets--;
+			frag6_dropfrag(q6);
 			goto dropfrag;
 		}
 		m_adj(t, sizeof(struct ip6_frag));
 		m_cat(m, t);
 	}
 
-	frag6_remque(q6);
-	frag6_nfrags -= q6->ip6q_nfrag;
-	kmem_intr_free(q6, sizeof(struct ip6q));
-	frag6_nfragpackets--;
+	frag6_dropfrag(q6);
 
 	{
 		KASSERT(m->m_flags & M_PKTHDR);
@@ -585,10 +593,7 @@ frag6_freef(struct ip6q *q6)
 		kmem_intr_free(af6, sizeof(struct ip6asfrag));
 	}
 
-	frag6_remque(q6);
-	frag6_nfrags -= q6->ip6q_nfrag;
-	kmem_intr_free(q6, sizeof(struct ip6q));
-	frag6_nfragpackets--;
+	frag6_dropfrag(q6);
 }
 
 /*

Reply via email to