From owner-svn-src-stable@freebsd.org Fri Dec 29 10:47:26 2017 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37303E816C0; Fri, 29 Dec 2017 10:47:26 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EAA6B652E0; Fri, 29 Dec 2017 10:47:25 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vBTAlPMb060113; Fri, 29 Dec 2017 10:47:25 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vBTAlOC5060107; Fri, 29 Dec 2017 10:47:24 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201712291047.vBTAlOC5060107@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 29 Dec 2017 10:47:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r327337 - stable/11/sys/netinet6 X-SVN-Group: stable-11 X-SVN-Commit-Author: ae X-SVN-Commit-Paths: stable/11/sys/netinet6 X-SVN-Commit-Revision: 327337 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 10:47:26 -0000 Author: ae Date: Fri Dec 29 10:47:24 2017 New Revision: 327337 URL: https://svnweb.freebsd.org/changeset/base/327337 Log: MFC r326876: Follow the RFC6980 and silently ignore following IPv6 NDP messages that had the IPv6 fragmentation header: o Neighbor Solicitation o Neighbor Advertisement o Router Solicitation o Router Advertisement o Redirect Introduce M_FRAGMENTED mbuf flag, and set it after IPv6 fragment reassembly is completed. Then check the presence of this flag in correspondig ND6 handling routines. PR: 224247 Modified: stable/11/sys/netinet6/frag6.c stable/11/sys/netinet6/icmp6.c stable/11/sys/netinet6/in6.h stable/11/sys/netinet6/nd6_nbr.c stable/11/sys/netinet6/nd6_rtr.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet6/frag6.c ============================================================================== --- stable/11/sys/netinet6/frag6.c Fri Dec 29 07:23:18 2017 (r327336) +++ stable/11/sys/netinet6/frag6.c Fri Dec 29 10:47:24 2017 (r327337) @@ -225,6 +225,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) IP6STAT_INC(ip6s_reassembled); in6_ifstat_inc(dstifp, ifs6_reass_ok); *offp = offset; + m->m_flags |= M_FRAGMENTED; return (ip6f->ip6f_nxt); } @@ -825,5 +826,6 @@ ip6_deletefraghdr(struct mbuf *m, int offset, int wait m_cat(m, t); } + m->m_flags |= M_FRAGMENTED; return (0); } Modified: stable/11/sys/netinet6/icmp6.c ============================================================================== --- stable/11/sys/netinet6/icmp6.c Fri Dec 29 07:23:18 2017 (r327336) +++ stable/11/sys/netinet6/icmp6.c Fri Dec 29 10:47:24 2017 (r327337) @@ -2249,6 +2249,10 @@ icmp6_redirect_input(struct mbuf *m, int off) if (!V_icmp6_rediraccept) goto freeit; + /* RFC 6980: Nodes MUST silently ignore fragments */ + if(m->m_flags & M_FRAGMENTED) + goto freeit; + #ifndef PULLDOWN_TEST IP6_EXTHDR_CHECK(m, off, icmp6len,); nd_rd = (struct nd_redirect *)((caddr_t)ip6 + off); Modified: stable/11/sys/netinet6/in6.h ============================================================================== --- stable/11/sys/netinet6/in6.h Fri Dec 29 07:23:18 2017 (r327336) +++ stable/11/sys/netinet6/in6.h Fri Dec 29 10:47:24 2017 (r327337) @@ -653,6 +653,7 @@ struct ip6_mtuinfo { #define M_LOOP M_PROTO6 #define M_AUTHIPDGM M_PROTO7 #define M_RTALERT_MLD M_PROTO8 +#define M_FRAGMENTED M_PROTO9 /* contained fragment header */ #ifdef _KERNEL struct cmsghdr; Modified: stable/11/sys/netinet6/nd6_nbr.c ============================================================================== --- stable/11/sys/netinet6/nd6_nbr.c Fri Dec 29 07:23:18 2017 (r327336) +++ stable/11/sys/netinet6/nd6_nbr.c Fri Dec 29 10:47:24 2017 (r327337) @@ -135,6 +135,10 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len) struct sockaddr_dl proxydl; char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; + /* RFC 6980: Nodes MUST silently ignore fragments */ + if(m->m_flags & M_FRAGMENTED) + goto freeit; + rflag = (V_ip6_forwarding) ? ND_NA_FLAG_ROUTER : 0; if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV && V_ip6_norbit_raif) rflag = 0; @@ -628,6 +632,10 @@ nd6_na_input(struct mbuf *m, int off, int icmp6len) size_t linkhdrsize; int lladdr_off; char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; + + /* RFC 6980: Nodes MUST silently ignore fragments */ + if(m->m_flags & M_FRAGMENTED) + goto freeit; if (ip6->ip6_hlim != 255) { nd6log((LOG_ERR, Modified: stable/11/sys/netinet6/nd6_rtr.c ============================================================================== --- stable/11/sys/netinet6/nd6_rtr.c Fri Dec 29 07:23:18 2017 (r327336) +++ stable/11/sys/netinet6/nd6_rtr.c Fri Dec 29 10:47:24 2017 (r327337) @@ -137,6 +137,10 @@ nd6_rs_input(struct mbuf *m, int off, int icmp6len) if (!V_ip6_forwarding || ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV) goto freeit; + /* RFC 6980: Nodes MUST silently ignore fragments */ + if(m->m_flags & M_FRAGMENTED) + goto freeit; + /* Sanity checks */ if (ip6->ip6_hlim != 255) { nd6log((LOG_ERR, @@ -225,6 +229,10 @@ nd6_ra_input(struct mbuf *m, int off, int icmp6len) * ND6_IFF_ACCEPT_RTADV is on the receiving interface. */ if (!(ndi->flags & ND6_IFF_ACCEPT_RTADV)) + goto freeit; + + /* RFC 6980: Nodes MUST silently ignore fragments */ + if(m->m_flags & M_FRAGMENTED) goto freeit; if (ip6->ip6_hlim != 255) {