From nobody Sun Sep 1 14:10:01 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WxYgF5YTBz5VGg9; Sun, 01 Sep 2024 14:10:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WxYgF3zR8z4RbD; Sun, 1 Sep 2024 14:10:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725199801; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vIGZ1e1vUwxFps+6s6V5AgSSBY4Yn0XtP+RI8rYuUvc=; b=BUxkEQZcfMrUjGEnDxmxFrJ2Rk2fNKnyjUmgXuocxEFe1KjpLJ0zHQmIOzB20n4UFamvds 4TBxWUB4Jicy1EEofSDud9M/X3Eg5Pa99HO5yLbXkHw4Mz2UoVHzXjqA2cTPg74RM42dKF 6B2UjmMt4eeF/rpTWh85rFSdCZDt21Rt/tN0PNBtMJWhStMQK12NmQNqbwLPetR+nNkuIG kvRo2iIJ7vv1CWiAucK7FkSnH3H/J4nkSJtXdTMoMaDCK1MDHIRuhO0YLmZS/SpfTAntBX qrcs+MvfGhhBUV44xizk0XFCFff1B8mge3K8qDMO/U9tbXCikbJ3OmtY2i7Bvg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725199801; a=rsa-sha256; cv=none; b=sH7hsOqp3/SUPCKPzNNH6dVvFAFAdPDslmZ7iRw2d0YrwElV4qthXKX3M9r5Amx0llI/l7 NEEiDyK4T3HAOBO0PWe11L8NlvPUGDBXLOXLwR/eEkd4PSskupeqWo5IZhI5ggVfntL3Xy dax1wBS4thSTREkisAk1Kw33DAAM/0NEHN1Di0Do/F2Gy+CtgA77iSpsrX6waH/4sVCboK z60xy2+WBURk0O0kv0kPhtXy4ZgvOYZHZe09UcXleO79LSpsTnBcvPuoed6VJMUn46H7ec vSJLOyKUGTseiiNUbrqgBDcx6OEUG3mQI2jN7hS6a7IZF0hk73/Qcoga2blCrQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725199801; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vIGZ1e1vUwxFps+6s6V5AgSSBY4Yn0XtP+RI8rYuUvc=; b=EXAligQlVS0hJuonjWlTh2JTLdL+ge4GzrPtbAm4HVtsqdUK+soM6kG54GVOkaW7zHuBbS cxWlYdm1VxjT4gUG+ew9saGa9F1oup+McKCOl+L02vg9UJf56m6zKolT2tJomMmHpDLb5y JvLmFFM5916efGSTWcgMf+ckPAnUmSWI4qkfN+NNPeqYiiRh2sOgzxHLN5wqb8rgawY4nw 7rR3Lqhdf/tLf3CQuNxv0DvtrtZrCA6Mqz7fsXqnKrNSYVz33pyxXL1120t9+0ZK8tg+Y1 t4ypy1RwSHMHkVbcmYu1Fnue7Vmk00IjkJt1wOUgY++zLXoBtTirz4P2Yg9WkQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WxYgF3Wh1zXM5; Sun, 1 Sep 2024 14:10:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 481EA1mb001752; Sun, 1 Sep 2024 14:10:01 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 481EA1Er001747; Sun, 1 Sep 2024 14:10:01 GMT (envelope-from git) Date: Sun, 1 Sep 2024 14:10:01 GMT Message-Id: <202409011410.481EA1Er001747@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 7d508464f56c - main - carp: Fix pullup checks List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7d508464f56cf262465fd23ab96e357d8e42c927 Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7d508464f56cf262465fd23ab96e357d8e42c927 commit 7d508464f56cf262465fd23ab96e357d8e42c927 Author: Mark Johnston AuthorDate: 2024-08-31 01:18:23 +0000 Commit: Mark Johnston CommitDate: 2024-09-01 14:09:53 +0000 carp: Fix pullup checks The conditions used to test whether a pullup is needed were inverted. While here: - Fix a bogus assignment to "iplen": it's already initialized to *offp. - Use in_cksum_skip() instead of manually adjusting the data pointer. Otherwise the mbuf is temporarily in an invalid state, since m_len isn't updated to match. Reported by: KMSAN Reviewed by: kp Sponsored by: Klara, Inc. Fixes: 37115154672f ("carp: support VRRPv3") Differential Revision: https://reviews.freebsd.org/D46492 --- sys/netinet/ip_carp.c | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c index 9f163c1097ba..ab001d346313 100644 --- a/sys/netinet/ip_carp.c +++ b/sys/netinet/ip_carp.c @@ -516,7 +516,7 @@ static int carp_input(struct mbuf **mp, int *offp, int proto) { struct mbuf *m = *mp; - struct ip *ip = mtod(m, struct ip *); + struct ip *ip; struct vrrpv3_header *vh; int iplen; int minlen; @@ -532,9 +532,6 @@ carp_input(struct mbuf **mp, int *offp, int proto) return (IPPROTO_DONE); } - iplen = ip->ip_hl << 2; - totlen = ntohs(ip->ip_len); - /* Ensure we have enough header to figure out the version. */ if (m->m_pkthdr.len < iplen + sizeof(*vh)) { CARPSTATS_INC(carps_badlen); @@ -545,14 +542,15 @@ carp_input(struct mbuf **mp, int *offp, int proto) return (IPPROTO_DONE); } - if (iplen + sizeof(*vh) < m->m_len) { + if (m->m_len < iplen + sizeof(*vh)) { if ((m = m_pullup(m, iplen + sizeof(*vh))) == NULL) { CARPSTATS_INC(carps_hdrops); CARP_DEBUG("%s():%d: pullup failed\n", __func__, __LINE__); return (IPPROTO_DONE); } - ip = mtod(m, struct ip *); } + ip = mtod(m, struct ip *); + totlen = ntohs(ip->ip_len); vh = (struct vrrpv3_header *)((char *)ip + iplen); switch (vh->vrrp_version) { @@ -581,7 +579,7 @@ carp_input(struct mbuf **mp, int *offp, int proto) return (IPPROTO_DONE); } - if (iplen + minlen < m->m_len) { + if (m->m_len < iplen + minlen) { if ((m = m_pullup(m, iplen + minlen)) == NULL) { CARPSTATS_INC(carps_hdrops); CARP_DEBUG("%s():%d: pullup failed\n", __func__, __LINE__); @@ -596,15 +594,13 @@ carp_input(struct mbuf **mp, int *offp, int proto) struct carp_header *ch; /* verify the CARP checksum */ - m->m_data += iplen; - if (in_cksum(m, totlen - iplen)) { + if (in_cksum_skip(m, totlen, iplen)) { CARPSTATS_INC(carps_badsum); CARP_DEBUG("%s: checksum failed on %s\n", __func__, if_name(m->m_pkthdr.rcvif)); m_freem(m); break; } - m->m_data -= iplen; ch = (struct carp_header *)((char *)ip + iplen); carp_input_c(m, ch, AF_INET, ip->ip_ttl); break; @@ -689,7 +685,7 @@ carp6_input(struct mbuf **mp, int *offp, int proto) return (IPPROTO_DONE); } - if (sizeof (*ip6) + minlen < m->m_len) { + if (m->m_len < sizeof(*ip6) + minlen) { if ((m = m_pullup(m, sizeof(*ip6) + minlen)) == NULL) { CARPSTATS_INC(carps_hdrops); CARP_DEBUG("%s():%d: pullup failed\n", __func__, __LINE__); @@ -704,15 +700,14 @@ carp6_input(struct mbuf **mp, int *offp, int proto) struct carp_header *ch; /* verify the CARP checksum */ - m->m_data += *offp; - if (in_cksum(m, sizeof(struct carp_header))) { + if (in_cksum_skip(m, *offp + sizeof(struct carp_header), + *offp)) { CARPSTATS_INC(carps_badsum); CARP_DEBUG("%s: checksum failed, on %s\n", __func__, if_name(m->m_pkthdr.rcvif)); m_freem(m); break; } - m->m_data -= *offp; ch = (struct carp_header *)((char *)ip6 + sizeof(*ip6)); carp_input_c(m, ch, AF_INET6, ip6->ip6_hlim); break;