From owner-svn-src-all@freebsd.org  Wed Aug 22 01:43:12 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F2271086883;
 Wed, 22 Aug 2018 01:43:12 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id E55B079449;
 Wed, 22 Aug 2018 01:43:11 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C646746BE;
 Wed, 22 Aug 2018 01:43:11 +0000 (UTC) (envelope-from cy@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w7M1hB1k012103;
 Wed, 22 Aug 2018 01:43:11 GMT (envelope-from cy@FreeBSD.org)
Received: (from cy@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w7M1hBmR012102;
 Wed, 22 Aug 2018 01:43:11 GMT (envelope-from cy@FreeBSD.org)
Message-Id: <201808220143.w7M1hBmR012102@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cy set sender to cy@FreeBSD.org
 using -f
From: Cy Schubert <cy@FreeBSD.org>
Date: Wed, 22 Aug 2018 01:43:11 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r338171 - in stable: 10/sys/contrib/ipfilter/netinet
 11/sys/contrib/ipfilter/netinet
X-SVN-Group: stable-11
X-SVN-Commit-Author: cy
X-SVN-Commit-Paths: in stable: 10/sys/contrib/ipfilter/netinet
 11/sys/contrib/ipfilter/netinet
X-SVN-Commit-Revision: 338171
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 01:43:12 -0000

Author: cy
Date: Wed Aug 22 01:43:11 2018
New Revision: 338171
URL: https://svnweb.freebsd.org/changeset/base/338171

Log:
  MFC r338047:
  
  The bucket index is subtracted by one at lines 2304 and 2314.  When 0 it
  becomes -1, except these are unsigned integers, so they become very large
  numbers. Thus are always larger than the maximum bucket; the hash table
  insertion fails causing NAT to fail.
  
  This commit ensures that if the index is already zero it is not reduced
  prior to insertion into the hash table.
  
  PR:		208566

Modified:
  stable/11/sys/contrib/ipfilter/netinet/ip_nat.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/10/sys/contrib/ipfilter/netinet/ip_nat.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/11/sys/contrib/ipfilter/netinet/ip_nat.c
==============================================================================
--- stable/11/sys/contrib/ipfilter/netinet/ip_nat.c	Wed Aug 22 01:23:11 2018	(r338170)
+++ stable/11/sys/contrib/ipfilter/netinet/ip_nat.c	Wed Aug 22 01:43:11 2018	(r338171)
@@ -2304,14 +2304,16 @@ ipf_nat_delete(softc, nat, logtype)
 
 		bkt = nat->nat_hv[0] % softn->ipf_nat_table_sz;
 		nss = &softn->ipf_nat_stats.ns_side[0];
-		nss->ns_bucketlen[bkt]--;
+		if (nss->ns_bucketlen[bkt] > 0)
+			nss->ns_bucketlen[bkt]--;
 		if (nss->ns_bucketlen[bkt] == 0) {
 			nss->ns_inuse--;
 		}
 
 		bkt = nat->nat_hv[1] % softn->ipf_nat_table_sz;
 		nss = &softn->ipf_nat_stats.ns_side[1];
-		nss->ns_bucketlen[bkt]--;
+		if (nss->ns_bucketlen[bkt] > 0)
+			nss->ns_bucketlen[bkt]--;
 		if (nss->ns_bucketlen[bkt] == 0) {
 			nss->ns_inuse--;
 		}