| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When forwarding pf tracks the size of the largest fragment in a fragmented
packet, and refragments based on this size.
It failed to ensure that this size was a multiple of 8 (as is required for all
but the last fragment), so it could end up generating incorrect fragments.
For example, if we received an 8 byte and 12 byte fragment pf would emit a first
fragment with 12 bytes of payload and the final fragment would claim to be at
offset 8 (not 12).
We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so
other users won't make the same mistake.
Reported by: Antonios Atlasis <aatlasis at secfu net>
MFC after: 3 days
(cherry picked from commit 4f3397263b95a45dd58e2be3a566029f8841cace)
|
| |
|
|
|
|
|
| |
Constify mbuf pointer for IPSEC functions where mbuf isn't modified.
TAG: IPSEC-HEAD
(cherry picked from commit 9570d79d4a30dcd428dd55f2f996c1090c777c52)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Take extra reference to security policy before calling crypto_dispatch().
Currently we perform crypto requests for IPSEC synchronous for most of
crypto providers (software, aesni) and only VIA padlock calls crypto
callback asynchronous. In synchronous mode it is possible, that security
policy will be removed during the processing crypto request. And crypto
callback will release the last reference to SP. Then upon return into
ipsec[46]_process_packet() IPSECREQUEST_UNLOCK() will be called to already
freed request. To prevent this we will take extra reference to SP.
PR: 201876
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
(cherry picked from commit 3e1742ed6cd844d82787f2fa5cd57652805c6b34)
|
| |
|
|
|
|
|
|
|
|
| |
Remove now unneded KEY_FREESP() for case when ipsec[46]_process_packet()
returns EJUSTRETURN.
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
(cherry picked from commit 197b7eb2f8155f5426a8399ee2316bc6363484bc)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Loopback addresses are 127.0.0.0/8, not 127.0.0.1/32.
MFC r295668:
Improve the teardown of the SCTP stack.
MFC r295670:
Whitespace changes.
MFC r295708:
Address a warning reported by D5245 / PVS.
MFC r295709:
Code cleanup which will silence a warning in PVS / D5245.
MFC r295710:
Add protection code for issues reported by PVS / D5245.
MFC r295771:
Fix reporting of mapped addressed in getpeername() and getsockname() for
IPv6 SCTP sockets.
This bugs were found because of an issue reported by PVS / D5245.
MFC r295772:
Add some protection code.
MFC r295773:
Add protection code.
MFC r295805:
Use the SCTP level pointer, not the interface level.
MFC r295929:
Don't leak an address in an error path.
Approved by: re (marius)
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since r256624 (head) we have been leaking routing table allocations
on vnet enabled jail shutdown. Call the provided cleanup
routines for IP versions 4 and 6 to plug these leaks.
Sponsored by: The FreeBSD Foundation
Reviewed by: gnn
Differential Revision:https://reviews.freebsd.org/D4530
Approved by: re (gjb)
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| | |
This code is not in modules that need KPI stability so no need to use
the wrapper functions as used in r252511 (head). We can directly use
the locking macros.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the allocation of outgoing streams:
* When processing a cookie, use the number of
streams announced in the INIT-ACK.
* When sending an INIT-ACK for an existing
association, use the value from the association,
not from the end-point.
|
| | |
| |
| |
| |
| |
| | |
Move including netinet/icmp6.h around to avoid a problem when including
netinet/icmp6.h and net/netmap.h. Both use ni_flags...
This allows to build multistack with SCTP support.
|
| | | |
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux]
o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux]
o Fix TCP MD5 signature denial of service. [SA-16:05.tcp]
o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]
Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security: FreeBSD-SA-16:03.linux, CVE-2016-1880
Security: FreeBSD-SA-16:04.linux, CVE-2016-1881
Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
in6_if2idlen: treat bridge(4) interfaces like other Ethernet interfaces
bridge(4) interfaces have an if_type of IFT_BRIDGE, rather than
IFT_ETHER, even though they only support Ethernet-style links. This
caused in6_if2idlen to emit an "unknown link type (209)" warning to
the console every time it was called. Add IFT_BRIDGE to the case
statement in the appropriate place, indicating that it uses the same
IPv6 address format as other Ethernet-like interfaces.
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
inet6: Do not assume every interface has ip6 enabled.
Certain interfaces (e.g. pfsync0) do not have ip6 addresses (in other words,
ifp->if_afdata[AF_INET6] is NULL). Ensure we don't panic when the MTU is
updated.
pfsync interfaces will never have ip6 support, because it's explicitly disabled
in in6_domifattach().
PR: 205194
|
| |\ \
| |/ |
|
| | |
| |
| |
| | |
(this is derect commit to stable/10)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
mld_v2_dispatch_general_query() is used by mld_fasttimo_vnet() to send
a reply to the MLDv2 General Query. In case when router has a lot of
multicast groups, the reply can take several packets due to MTU limitation.
Also we have a limit MLD_MAX_RESPONSE_BURST == 4, that limits the number
of packets we send in one shot. Then we recalculate the timer value and
schedule the remaining packets for sending.
The problem is that when we call mld_v2_dispatch_general_query() to send
remaining packets, we queue new reply in the same mbuf queue. And when
number of packets is bigger than MLD_MAX_RESPONSE_BURST, we get endless
reply of MLDv2 reports.
To fix this, add the check for remaining packets in the queue.
PR: 204831
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Schedule DAD for IN6_IFF_TENTATIVE addresses in nd6_timer(). This
catches cases that DAD probes cannot be sent because of
IFF_UP && !IFF_DRV_RUNNING.
- nd6_dad_starttimer() now calls nd6_dad_ns_output(), instead of
calling it before nd6_dad_starttimer().
- Do not release an entry in dadq when a duplicate entry is being
added.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix possible use after free due to security policy deletion.
When we are passing mbuf to IPSec processing via ipsec[46]_process_packet(),
we hold one reference to security policy and release it just after return
from this function. But IPSec processing can be deffered and when we release
reference to security policy after ipsec[46]_process_packet(), user can
delete this security policy from SPDB. And when IPSec processing will be
done, xform's callback function will do access to already freed memory.
To fix this move KEY_FREESP() into callback function. Now IPSec code will
release reference to SP after processing will be finished.
Differential Revision: https://reviews.freebsd.org/D2324
No objections from: #network
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do not count security policy violation twice.
ipsec*_in_reject() do this by their own.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use ipsec6_in_reject() to simplify ip6_ipsec_fwd() and ip6_ipsec_input().
ipsec6_in_reject() does the same things, also it counts policy violation
errors.
Do IPSEC check in the ip6_forward() after addresses checks.
Also use ip6_ipsec_fwd() to make code similar to IPv4 implementation.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove flag/flags argument from the following functions:
ipsec_getpolicybyaddr()
ipsec4_checkpolicy()
ip_ipsec_output()
ip6_ipsec_output()
The only flag used here was IP_FORWARDING.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move ip_ipsec_fwd() from ip_input() into ip_forward().
Remove check for presence PACKET_TAG_IPSEC_IN_DONE mbuf tag from
ip_ipsec_fwd(). PACKET_TAG_IPSEC_IN_DONE tag means that packet is
already handled by IPSEC code. This means that before IPSEC processing
it was destined to our address and security policy was checked in
the ip_ipsec_input(). After IPSEC processing packet has new IP
addresses and destination address isn't our own. So, anyway we can't
check security policy from the mbuf tag, because it corresponds
to different addresses.
We should check security policy that corresponds to packet
attributes in both cases - when it has a mbuf tag and when it has not.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.
Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove check for presence of PACKET_TAG_IPSEC_PENDING_TDB and
PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED mbuf tags. They aren't used in FreeBSD.
Instead check presence of PACKET_TAG_IPSEC_OUT_DONE mbuf tag. If it
is found, bypass security policy lookup as described in the comment.
PACKET_TAG_IPSEC_OUT_DONE tag added to mbuf when IPSEC code finishes
ESP/AH processing. Since it was already finished, this means the security
policy placed in the tdb_ident was already checked. And there is no reason
to check it again here.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove redundant call to ipsec_getpolicybyaddr().
ipsec_hdrsiz() will call it internally.
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Revert "Importing pfSense patch IPSEC_sysctl.RELENG_10.diff"
This reverts commit 1a5bcc816de96758225aa0a4d2b5ddc7b88b6b58.
TAG: IPSEC-HEAD
Issue: #4841
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| | |
since original commit (r287094) is correct.
Approved by: loos
Sponsored by: Rubicon Communications (Netgate)
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Deprecate IN6_IFF_NODAD. It was used to prevent DAD on a loopback
interface but in6if_do_dad() already had a check for IFF_LOOPBACK.
- Remove in6if_do_dad() check in in6_broadcast_ifa(). An address
which needs DAD always has IN6_IFF_TENTATIVE there.
- in6if_do_dad() now returns EAGAIN when the interface is not ready
since DAD callout handler ignores such an interface.
- In DAD callout handler, mark an address as IN6_IFF_TENTATIVE
when the interface has ND6_IFF_IFDISABLED. And Do IFF_UP and
IFF_DRV_RUNNING check consistently when DAD is required.
- draft-ietf-6man-enhanced-dad is now published as RFC 7527.
- Fix some typos.
|
| | |
| |
| |
| | |
Remove obsolete API (SIOCGDRLST_IN6 and SIOCGPRLST_IN6) support.
|
| | |
| |
| |
| | |
Do not add IN6_IFF_TENTATIVE when ND6_IFF_NO_DAD.
|
| | |
| |
| |
| | |
Remove IN6_IFF_NOPFX. This flag was no longer used.
|
| | | |
|
| |/ |
|
| |
|
|
| |
Invoke LLE event handler when entry is deleted.
|
| |
|
|
|
|
|
|
|
|
| |
- Remove ND6_IFF_IGNORELOOP. This functionality was useless in practice
because a link where looped back NS messages are permanently observed
does not work with either NDP or ARP for IPv4.
- draft-ietf-6man-enhanced-dad is now RFC 7527.
Approved by: re (gjb)
|
| |
|
|
|
|
|
| |
Fix a bug which prevented ND6_IFF_IFDISABLED flag from clearing when
the newly-added IPv6 address was /128.
Approved by: re (gjb)
|
| |
|
|
|
|
|
| |
Add FIB support for SCTP.
This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200379
PR: 200379
|
| |
|
|
|
|
|
|
|
|
|
| |
Evaluate packet size after the firewall had its chance
Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.
Differential Revision: https://reviews.freebsd.org/D2821
Reviewed by: gnn
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove duplicate code
We'll just fall into the same local delivery block under the
'if (m->m_flags & M_FASTFWD_OURS)'.
Suggested by: ae
Differential Revision: https://reviews.freebsd.org/D2820
Reviewed by: gnn
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Preserve IPv6 fragment IDs accross reassembly and refragmentation
When forwarding fragmented IPv6 packets and filtering with PF we
reassemble and refragment. That means we generate new fragment headers
and a new fragment ID.
We already save the fragment IDs so we can do the reassembly so it's
straightforward to apply the incoming fragment ID on the refragmented
packets.
Differential Revision: https://reviews.freebsd.org/D2817
Reviewed by: gnn
|
| |
|
|
|
|
|
| |
Factor out ip6_fragment() function, to be used in IPv6 stack and pf(4).
Differential Revision: https://reviews.freebsd.org/D2815
Reviewed by: gnn
|
