FreeBSD source tree https://cgit-dev.freebsd.org/src-test2/atom?h=releng%2F11.2 2018-05-03T08:17:12Z 2018-05-03T08:17:12Z Andrey V. Elsukov ae@FreeBSD.org 2018-05-03T08:17:12Z urn:sha1:cd831478bf8d10f28de42f736e8d0047e2ea68af Merge r1.22-1.23 from NetBSD: Don't assume M_PKTHDR is set only on the first mbuf of the chain. The check is replaced by (m1 != m), which is equivalent to the previous code: we want to modify m->m_pkthdr.len only when 'm' was not passed in m_adj(). Fix a pretty bad mistake, that has always been there: m_adj(m1, -(m1->m_len - roff)); if (m1 != m) m->m_pkthdr.len -= (m1->m_len - roff); This is wrong: m_adj() will modify m1->m_len, so we're using a wrong value when manually adjusting m->m_pkthdr.len. Reported by: Maxime Villard <max at m00nbsd dot net> Obtained from: NetBSD 2018-03-29T02:50:57Z Eitan Adler eadler@FreeBSD.org 2018-03-29T02:50:57Z urn:sha1:4ab2e064d7950be84256d671a7ae93f87cc6aa36 This was intended to be a non-functional change. It wasn't. The commit message was thus wrong. In addition it broke arm, and merged crypto related code. Revert with prejudice. This revert skips files touched in r316370 since that commit was since MFCed. This revert also skips files that require $FreeBSD$ property changes. Thank you to those who helped me get out of this mess including but not limited to gonzo, kevans, rgrimes. Requested by: gjb (re) 2018-03-28T17:49:31Z John Baldwin jhb@FreeBSD.org 2018-03-28T17:49:31Z urn:sha1:d678d9072f23e531310c00ba0b5814ae2464895c When using hardware crypto engines, the callback functions used to handle an IPsec packet after it has been encrypted or decrypted can be invoked asynchronously from a worker thread that is not associated with a vnet. Extend 'struct xform_data' to include a vnet pointer and save the current vnet in this new member when queueing crypto requests in IPsec. In the IPsec callback routines, use the new member to set the current vnet while processing the modified packet. This fixes a panic when using hardware offload such as ccr(4) with IPsec after VIMAGE was enabled in GENERIC. Sponsored by: Chelsio Communications 2018-03-27T18:52:27Z Dimitry Andric dim@FreeBSD.org 2018-03-27T18:52:27Z urn:sha1:7aa8f0f6ea9ba5068508f05ef5dd099f91e3418d kern_sig.c: ANSIfy and remove archaic register keyword Sponsored by: The FreeBSD Foundation MFC r318389 (by emaste): Remove register keyword from sys/ and ANSIfy prototypes A long long time ago the register keyword told the compiler to store the corresponding variable in a CPU register, but it is not relevant for any compiler used in the FreeBSD world today. ANSIfy related prototypes while here. Reviewed by: cem, jhb Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D10193 2018-03-25T03:45:02Z Andrey V. Elsukov ae@FreeBSD.org 2018-03-25T03:45:02Z urn:sha1:08d1fd2ed0f669d22fd1746df759129b63a686b7 Rework key_sendup_mbuf() a bit: o count in_nomem counter when we have failed to allocate mbuf for promisc socket; o count in_msgtarget counter when we have secussfully sent data to socket; o Since we are sending messages in a loop, returning error on first fail interrupts the loop, and all remaining sockets will not receive this message. So, do not return error when we have failed to send data to ALL or REGISTERED target. Return error only for KEY_SENDUP_ONE case. Now, when some socket has overfilled its receive buffer, this will not break other sockets. 2018-03-25T03:37:26Z Andrey V. Elsukov ae@FreeBSD.org 2018-03-25T03:37:26Z urn:sha1:5f844e8b531e1b8249bf52c69a4c7705f7b6f341 Remove obsoleted and unused key_sendup() function. Also remove declaration for nonexistend key_usrreq() function. MFC r330772: Check that we have PF_KEY sockets before iterating over all RAW sockets. MFC r330775: Replace panic() with KASSERTs. MFC r330777: Add KASSERT to check that proper targed was used. 2018-03-14T03:19:51Z Eitan Adler eadler@FreeBSD.org 2018-03-14T03:19:51Z urn:sha1:be5d0b9566b13fdf8cabebb63334cbec12bfc409 These changes are incomplete but are making it difficult to determine what other changes can/should be merged. No objections from: pfg 2018-02-26T12:01:42Z Andrey V. Elsukov ae@FreeBSD.org 2018-02-26T12:01:42Z urn:sha1:61261068c18836259a8fe0092e32fa918626e0df Remove unused variables and sysctl declaration. 2018-02-24T13:04:02Z Andrey V. Elsukov ae@FreeBSD.org 2018-02-24T13:04:02Z urn:sha1:646da080636ea18e9bd22b90f524bc209d95b2a0 Check packet length to do not make out of bounds access. Also save ah_nxt value to use it later, since ah pointer can become invalid. Reported by: Maxime Villard <max at m00nbsd dot net> 2018-01-31T09:24:48Z Andrey V. Elsukov ae@FreeBSD.org 2018-01-31T09:24:48Z urn:sha1:4e323646f9088535e2f325e0ef40e6637d090c50 Merge revision 1.35 from NetBSD: fix pointer/offset mistakes in handling of IPv4 options Reported by: Maxime Villard <maxv at NetBSD.org> MFC r328352: Adopt revision 1.76 and 1.77 from NetBSD: Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely crash the kernel with a single packet. In this loop we need to increment 'ad' by two, because the length field of the option header does not count the size of the option header itself. If the length is zero, then 'count' is incremented by zero, and there's an infinite loop. Beyond that, this code was written with the assumption that since the IPv6 packet already went through the generic IPv6 option parser, several fields are guaranteed to be valid; but this assumption does not hold because of the missing '+2', and there's as a result a triggerable buffer overflow (write zeros after the end of the mbuf, potentially to the next mbuf in memory since it's a pool). Add the missing '+2', this place will be reinforced in separate commits. Reported by: Maxime Villard <maxv at NetBSD.org>