diff options
| author |   bluhm <bluhm@openbsd.org> | 2017-10-18 17:01:14 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2017-10-18 17:01:14 +0000 |
| commit | 1662d0a7d67275c7b60b9cb48ce2fe303179d8ac (patch) | |
| tree | 003714b477437d51228123640e6df3afacfff088 | |
| parent | add support for printing function arguments when displaying a trace (diff) | |
| download | wireguard-openbsd-1662d0a7d67275c7b60b9cb48ce2fe303179d8ac.tar.xz wireguard-openbsd-1662d0a7d67275c7b60b9cb48ce2fe303179d8ac.zip | |
When reusing an mbuf at the upper end of the network stack, strip
off the mbuf properties with m_resethdr(). It is a new packet,
especially M_LOOP indicating that it was running through lo(4)
should be cleared. Use the ph_loopcnt to prevent looping at the
upper end of the stack. Although not strictly necessary in icmp
reflect, it is a good idea to increase and check the counter here,
like in socket splicing.
OK mpi@ sashan@
| -rw-r--r-- | sys/netinet/ip_icmp.c | 11 | ||||
| -rw-r--r-- | sys/netinet6/icmp6.c | 17 |
2 files changed, 17 insertions, 11 deletions
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 954f4219769..f218b6f428e 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.172 2017/10/09 08:35:38 mpi Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.173 2017/10/18 17:01:14 bluhm Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -714,10 +714,13 @@ icmp_reflect(struct mbuf *m, struct mbuf **op, struct in_ifaddr *ia) return (EHOSTUNREACH); } -#if NPF > 0 - pf_pkt_addr_changed(m); -#endif + if (m->m_pkthdr.ph_loopcnt++ >= M_MAXLOOP) { + m_freem(m); + return (ELOOP); + } rtableid = m->m_pkthdr.ph_rtableid; + m_resethdr(m); + m->m_pkthdr.ph_rtableid = rtableid; /* * If the incoming packet was addressed directly to us, diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index bf8567c330c..421280690c9 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.218 2017/10/18 13:16:35 bluhm Exp $ */ +/* $OpenBSD: icmp6.c,v 1.219 2017/10/18 17:01:14 bluhm Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -1044,6 +1044,7 @@ icmp6_reflect(struct mbuf *m, size_t off) struct icmp6_hdr *icmp6; struct in6_addr t, *src = NULL; struct sockaddr_in6 sa6_src, sa6_dst; + u_int rtableid; CTASSERT(sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr) <= MHLEN); @@ -1056,6 +1057,12 @@ icmp6_reflect(struct mbuf *m, size_t off) goto bad; } + if (m->m_pkthdr.ph_loopcnt++ >= M_MAXLOOP) + goto bad; + rtableid = m->m_pkthdr.ph_rtableid; + m_resethdr(m); + m->m_pkthdr.ph_rtableid = rtableid; + /* * If there are extra headers between IPv6 and ICMPv6, strip * off that header first. @@ -1114,7 +1121,7 @@ icmp6_reflect(struct mbuf *m, size_t off) * but is possible (for example) when we encounter an error while * forwarding procedure destined to a duplicated address of ours. */ - rt = rtalloc(sin6tosa(&sa6_dst), 0, m->m_pkthdr.ph_rtableid); + rt = rtalloc(sin6tosa(&sa6_dst), 0, rtableid); if (rtisvalid(rt) && ISSET(rt->rt_flags, RTF_LOCAL) && !ISSET(ifatoia6(rt->rt_ifa)->ia6_flags, IN6_IFF_ANYCAST|IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED)) { @@ -1129,8 +1136,7 @@ icmp6_reflect(struct mbuf *m, size_t off) * that we do not own. Select a source address based on the * source address of the erroneous packet. */ - rt = rtalloc(sin6tosa(&sa6_src), RT_RESOLVE, - m->m_pkthdr.ph_rtableid); + rt = rtalloc(sin6tosa(&sa6_src), RT_RESOLVE, rtableid); if (!rtisvalid(rt)) { char addr[INET6_ADDRSTRLEN]; @@ -1162,9 +1168,6 @@ icmp6_reflect(struct mbuf *m, size_t off) m->m_flags &= ~(M_BCAST|M_MCAST); -#if NPF > 0 - pf_pkt_addr_changed(m); -#endif ip6_send(m); return; |