diff options
| author | kp <kp@FreeBSD.org> | 2016-10-02 21:06:55 +0000 |
|---|---|---|
| committer | kp <kp@FreeBSD.org> | 2016-10-02 21:06:55 +0000 |
| commit | 2cb4db0992c614f2818c21a26ef2b4f7ed296598 (patch) | |
| tree | bbe14b7dcc55c6e3ed0948aa239ada10fcc246b6 /lib/libc/stdlib | |
| parent | 3674ec6301bd9fb1f23360fea309d1ec46d0f0e8 (diff) | |
| download | FreeBSD-src-2cb4db0992c614f2818c21a26ef2b4f7ed296598.zip FreeBSD-src-2cb4db0992c614f2818c21a26ef2b4f7ed296598.tar.gz | |
MFC r306289:
bridge: Fix fragment handling and memory leak
Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling
feature (like pf'scrub) is enabled on the bridge. This patch fixes corrupted
packet problem and the panic (triggered easly with low RAM) as explain in PR
185633.
bridge_pfil and bridge_fragment relationship:
bridge_pfil() receive (IN direction) packets and sent it to the firewall The
firewall can be configured for reassembling fragmented packet (like pf'scrubing)
in one mbuf chain when bridge_pfil() need to send this reassembled packet to the
outgoing interface, it needs to re-fragment it by using bridge_fragment()
bridge_fragment() had to split this mbuf (using ip_fragment) first then
had to M_PREPEND each packet in the mbuf chain for adding Ethernet
header.
But M_PREPEND can sometime create a new mbuf on the begining of the mbuf chain,
then the "main" pointer of this mbuf chain should be updated and this case is
tottaly forgotten. The original bridge_fragment code (Revision 158140,
2006 April 29) came from OpenBSD, and the call to bridge_enqueue was
embedded. But on FreeBSD, bridge_enqueue() is done after bridge_fragment(),
then the original OpenBSD code can't work as-it of FreeBSD.
PR: 185633
Submitted by: Olivier Cochard-Labbé
Diffstat (limited to 'lib/libc/stdlib')
0 files changed, 0 insertions, 0 deletions
