diff options
| author | Bjoern A. Zeeb <bz@FreeBSD.org> | 2019-11-12 15:46:28 +0000 |
|---|---|---|
| committer | Bjoern A. Zeeb <bz@FreeBSD.org> | 2019-11-12 15:46:28 +0000 |
| commit | a8fe77d877af46bb07e639b2d790aa10fe8c6835 (patch) | |
| tree | 4645d41abea2e18ed5f2dfa19e3100895211bfa2 | |
| parent | 4df8c94283e0981885af288035c1eab720a8476a (diff) | |
| download | src-a8fe77d877af46bb07e639b2d790aa10fe8c6835.tar.gz src-a8fe77d877af46bb07e639b2d790aa10fe8c6835.zip | |
Notes
| -rw-r--r-- | sys/netinet/tcp_input.c | 2 | ||||
| -rw-r--r-- | sys/netinet6/dest6.c | 6 | ||||
| -rw-r--r-- | sys/netinet6/frag6.c | 9 | ||||
| -rw-r--r-- | sys/netinet6/icmp6.c | 16 | ||||
| -rw-r--r-- | sys/netinet6/ip6_input.c | 4 | ||||
| -rw-r--r-- | sys/netinet6/route6.c | 2 | ||||
| -rw-r--r-- | sys/netinet6/udp6_usrreq.c | 10 |
7 files changed, 42 insertions, 7 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index c1190614a2fd..41712c8949d1 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -530,11 +530,13 @@ tcp6_input(struct mbuf **mp, int *offp, int proto) ifa_free(&ia6->ia_ifa); icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_ADDR, (caddr_t)&ip6->ip6_dst - (caddr_t)ip6); + *mp = NULL; return (IPPROTO_DONE); } if (ia6) ifa_free(&ia6->ia_ifa); + *mp = m; return (tcp_input(mp, offp, proto)); } #endif /* INET6 */ diff --git a/sys/netinet6/dest6.c b/sys/netinet6/dest6.c index 6465fc2db30a..56a711d9bad2 100644 --- a/sys/netinet6/dest6.c +++ b/sys/netinet6/dest6.c @@ -113,17 +113,21 @@ dest6_input(struct mbuf **mp, int *offp, int proto) default: /* unknown option */ optlen = ip6_unknown_opt(opt, m, opt - mtod(m, u_int8_t *)); - if (optlen == -1) + if (optlen == -1) { + *mp = NULL; return (IPPROTO_DONE); + } optlen += 2; break; } } *offp = off; + *mp = m; return (dstopts->ip6d_nxt); bad: m_freem(m); + *mp = NULL; return (IPPROTO_DONE); } diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index d4b82aa57887..b201bc6bf3a1 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -419,6 +419,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) if (ip6->ip6_plen == 0) { icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offset); in6_ifstat_inc(dstifp, ifs6_reass_fail); + *mp = NULL; return (IPPROTO_DONE); } @@ -433,6 +434,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offsetof(struct ip6_hdr, ip6_plen)); in6_ifstat_inc(dstifp, ifs6_reass_fail); + *mp = NULL; return (IPPROTO_DONE); } @@ -476,6 +478,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) offsetof(struct ip6_hdr, ip6_plen)); in6_ifstat_inc(dstifp, ifs6_reass_fail); IP6STAT_INC(ip6s_fragdropped); + *mp = NULL; return (IPPROTO_DONE); } @@ -611,6 +614,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offset - sizeof(struct ip6_frag) + offsetof(struct ip6_frag, ip6f_offlg)); + *mp = NULL; return (IPPROTO_DONE); } } else if (fragoff + frgpartlen > IPV6_MAXPACKET) { @@ -627,6 +631,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, offset - sizeof(struct ip6_frag) + offsetof(struct ip6_frag, ip6f_offlg)); + *mp = NULL; return (IPPROTO_DONE); } @@ -777,6 +782,7 @@ postinsert: frag6_freef(q6, bucket); } IP6QB_UNLOCK(bucket); + *mp = NULL; return (IPPROTO_DONE); } plen += af6->ip6af_frglen; @@ -788,6 +794,7 @@ postinsert: frag6_freef(q6, bucket); } IP6QB_UNLOCK(bucket); + *mp = NULL; return (IPPROTO_DONE); } @@ -877,6 +884,7 @@ postinsert: #ifdef RSS /* Queue/dispatch for reprocessing. */ netisr_dispatch(NETISR_IPV6_DIRECT, m); + *mp = NULL; return (IPPROTO_DONE); #endif @@ -892,6 +900,7 @@ dropfrag2: in6_ifstat_inc(dstifp, ifs6_reass_fail); IP6STAT_INC(ip6s_fragdropped); m_freem(m); + *mp = NULL; return (IPPROTO_DONE); } diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 652ecab2c70b..7612011e60ba 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -617,8 +617,10 @@ icmp6_input(struct mbuf **mp, int *offp, int proto) */ if ((ip6->ip6_hlim != 1) || (m->m_flags & M_RTALERT_MLD) == 0) goto freeit; - if (mld_input(m, off, icmp6len) != 0) + if (mld_input(m, off, icmp6len) != 0) { + *mp = NULL; return (IPPROTO_DONE); + } /* m stays. */ break; @@ -853,6 +855,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto) deliver: if (icmp6_notify_error(&m, off, icmp6len, code) != 0) { /* In this case, m should've been freed. */ + *mp = NULL; return (IPPROTO_DONE); } break; @@ -869,11 +872,13 @@ icmp6_input(struct mbuf **mp, int *offp, int proto) /* deliver the packet to appropriate sockets */ icmp6_rip6_input(&m, *offp); - return IPPROTO_DONE; + *mp = m; + return (IPPROTO_DONE); freeit: m_freem(m); - return IPPROTO_DONE; + *mp = NULL; + return (IPPROTO_DONE); } static int @@ -1106,6 +1111,7 @@ icmp6_notify_error(struct mbuf **mp, int off, int icmp6len, int code) freeit: m_freem(m); + *mp = NULL; return (-1); } @@ -1918,6 +1924,7 @@ icmp6_rip6_input(struct mbuf **mp, int off) fromsa.sin6_addr = ip6->ip6_src; if (sa6_recoverscope(&fromsa)) { m_freem(m); + *mp = NULL; return (IPPROTO_DONE); } @@ -2041,7 +2048,8 @@ icmp6_rip6_input(struct mbuf **mp, int off) m_freem(m); IP6STAT_DEC(ip6s_delivered); } - return IPPROTO_DONE; + *mp = NULL; + return (IPPROTO_DONE); } /* diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 97b5ff9987c3..99c9ef774b3b 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1010,8 +1010,10 @@ ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, off += hbhlen; hbhlen -= sizeof(struct ip6_hbh); if (ip6_process_hopopts(m, (u_int8_t *)hbh + sizeof(struct ip6_hbh), - hbhlen, rtalertp, plenp) < 0) + hbhlen, rtalertp, plenp) < 0) { + *mp = NULL; return (-1); + } *offp = off; *mp = m; diff --git a/sys/netinet6/route6.c b/sys/netinet6/route6.c index c32118aed3c3..996a7315776c 100644 --- a/sys/netinet6/route6.c +++ b/sys/netinet6/route6.c @@ -110,9 +110,11 @@ route6_input(struct mbuf **mp, int *offp, int proto) IP6STAT_INC(ip6s_badoptions); icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, (caddr_t)&rh->ip6r_type - (caddr_t)ip6); + *mp = NULL; return (IPPROTO_DONE); } *offp += rhlen; + *mp = m; return (rh->ip6r_nxt); } diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 15fdf0cf5597..a5dc68855ec9 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -394,8 +394,11 @@ udp6_input(struct mbuf **mp, int *offp, int proto) else UDP_PROBE(receive, NULL, last, ip6, last, uh); - if (udp6_append(last, n, off, fromsa)) + if (udp6_append(last, n, off, fromsa)) { + /* XXX-BZ do we leak m here? */ + *mp = NULL; return (IPPROTO_DONE); + } } INP_RUNLOCK(last); } @@ -434,6 +437,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto) INP_RUNLOCK(last); } else INP_RUNLOCK(last); + *mp = NULL; return (IPPROTO_DONE); } /* @@ -501,6 +505,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto) if (V_udp_blackhole) goto badunlocked; icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0); + *mp = NULL; return (IPPROTO_DONE); } INP_RLOCK_ASSERT(inp); @@ -509,6 +514,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto) if (up->u_rxcslen == 0 || up->u_rxcslen > ulen) { INP_RUNLOCK(inp); m_freem(m); + *mp = NULL; return (IPPROTO_DONE); } } @@ -518,11 +524,13 @@ udp6_input(struct mbuf **mp, int *offp, int proto) UDP_PROBE(receive, NULL, inp, ip6, inp, uh); if (udp6_append(inp, m, off, fromsa) == 0) INP_RUNLOCK(inp); + *mp = NULL; return (IPPROTO_DONE); badunlocked: if (m) m_freem(m); + *mp = NULL; return (IPPROTO_DONE); } |