Page MenuHomeFreeBSD
Differential D8764

Check that tryforward didn't changed mbuf
ClosedPublic
Actions

Authored by ae on Dec 12 2016, 12:14 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 22, 11:13 PM
Unknown Object (File)
Tue, Nov 19, 2:09 AM
Unknown Object (File)
Mon, Nov 18, 11:09 AM
Unknown Object (File)
Mon, Nov 18, 12:27 AM
Unknown Object (File)
Mon, Nov 18, 12:10 AM
Unknown Object (File)
Sun, Nov 17, 9:57 AM
Unknown Object (File)
Thu, Nov 14, 12:04 PM
Unknown Object (File)
Sun, Nov 10, 2:49 PM
View All 83 Files
Subscribers
imp

Details

Reviewers
melifaro
gnn
Group Reviewers
network
Commits
rS310258: ip[6]_tryforward does inbound and outbound packet firewall processing.
Summary

ip[6]_input() calls ip[6]_tryforward() and expects if returned value
is not NULL, this means that it left mbuf unchanged for slow path processing.
This isn't always true, because tryforward does inbound and outbound packet
processing. This at least can result in changed mbuf pointer due to used
m_pullup(). Also in some cases tryforward can return this changed mbuf
back to the ip[6]_input() due to it decided that destination becomes our
own address. This wasn't the problem, when we called ip[6]_fastfwd() from
ether_input(), because netisr invoked ip[6]_input() and all pointers
was updated at the top of ip[6]_input().

To fix this I store the returned value from ip[6]_tryforward() into the
mbuf pointer, then check m_flags for M_FASTFWD_OURS flag. If it is present,
this means that ip[6]_tryforward() returned changed mbuf pointer.

Test Plan

I didn't tested this yet, but it seems it should be very easy to trigger the problem using ipfw fwd.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ae updated this revision to Diff 22842.Dec 12 2016, 12:14 PM
ae retitled this revision from to Check that tryforward didn't changed mbuf.
ae updated this object.
ae edited the test plan for this revision. (Show Details)
ae added a reviewer: melifaro.
Herald added a subscriber: imp. · View Herald TranscriptDec 12 2016, 12:14 PM
ae edited the test plan for this revision. (Show Details)Dec 12 2016, 12:19 PM
ae added reviewers: network, gnn.
ae updated this revision to Diff 22843.Dec 12 2016, 1:49 PM

Fix copy-paste bug, use correct label in the ip_input.

ae added a comment.Dec 12 2016, 7:53 PM

It appears not so easy to reproduce the bug. It seems ip_input() always gets mbuf with m_len that enough to avoid m_pullup().
But I'm sure it possible in some cases trigger the problem.

Closed by commit rS310258: ip[6]_tryforward does inbound and outbound packet firewall processing. (authored by ae). · Explain WhyDec 19 2016, 11:03 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sys/
netinet/
33 lines
netinet6/
35 lines

Diff 23086

View Options

head/sys/netinet/ip_input.c

Loading...
View Options

head/sys/netinet6/ip6_input.c

Loading...