From owner-svn-src-all@freebsd.org Fri Aug 31 08:37:16 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6856DF788A4; Fri, 31 Aug 2018 08:37:16 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 203E3892CA; Fri, 31 Aug 2018 08:37:16 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EA87318E80; Fri, 31 Aug 2018 08:37:15 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w7V8bF3S044015; Fri, 31 Aug 2018 08:37:15 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w7V8bFsF044014; Fri, 31 Aug 2018 08:37:15 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201808310837.w7V8bFsF044014@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Fri, 31 Aug 2018 08:37:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r338406 - head/sys/netinet6 X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: head/sys/netinet6 X-SVN-Commit-Revision: 338406 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2018 08:37:16 -0000 Author: kp Date: Fri Aug 31 08:37:15 2018 New Revision: 338406 URL: https://svnweb.freebsd.org/changeset/base/338406 Log: frag6: Fix fragment reassembly r337776 started hashing the fragments into buckets for faster lookup. The hashkey is larger than intended. This results in random stack data being included in the hashed data, which in turn means that fragments of the same packet might end up in different buckets, causing the reassembly to fail. Set the correct size for hashkey. PR: 231045 Approved by: re (kib) MFC after: 3 days Modified: head/sys/netinet6/frag6.c Modified: head/sys/netinet6/frag6.c ============================================================================== --- head/sys/netinet6/frag6.c Fri Aug 31 05:21:33 2018 (r338405) +++ head/sys/netinet6/frag6.c Fri Aug 31 08:37:15 2018 (r338406) @@ -218,7 +218,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto) int offset = *offp, nxt, i, next; int first_frag = 0; int fragoff, frgpartlen; /* must be larger than u_int16_t */ - uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp; + uint32_t hashkey[(sizeof(struct in6_addr) * 2 + + sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)]; + uint32_t hash, *hashkeyp; struct ifnet *dstifp; u_int8_t ecn, ecn0; #ifdef RSS