tcp_reass: Mitigate CVE-2018-6922 (SegmentSmack)

at a level of FreeBSD, by introducing an arbitrary (100) limit to
the length of TCP reassembly queues:

https://github.com/freebsd/freebsd-src/commit

tcp_reass: Mitigate CVE-2018-6922 (SegmentSmack)

at a level of FreeBSD, by introducing an arbitrary (100) limit to
the length of TCP reassembly queues:

https://github.com/freebsd/freebsd-src/commit/95a914f6316874f5b0c45d491f2843dc810071ef

Originally authored by ryo@.

We thank Tomoyuki Sahara <tsahara at iij>, who has analyzed the
problem again, updated the patch, and carried out experiments for
vulnerability scenarios. The confidential PR below is based on
his work.

PR security/58708

show more ...

sys: Drop redundant NULL check before m_freem(9)

m_freem(9) safely has accepted NULL argument at least since 4.2BSD:
https://www.tuhs.org/cgi-bin/utree.pl?file=4.2BSD/usr/src/sys/sys/uipc_mbuf.c

Co

sys: Drop redundant NULL check before m_freem(9)

m_freem(9) safely has accepted NULL argument at least since 4.2BSD:
https://www.tuhs.org/cgi-bin/utree.pl?file=4.2BSD/usr/src/sys/sys/uipc_mbuf.c

Compile-tested on amd64/ALL.

Suggested by knakahara@

show more ...

netinet: Use _NET_STAT* API instead of direct array access.

PR kern/58380

inpcb: rename functions to in6pcb_*

inpcb: rename functions to inpcb_*

Inspired by rmind-smpnet patches.

inpcb: separate inpcb again to reduce the size of PCB for IPv4

The data size of PCB for IPv4 increased because of the merge of
struct in6pcb. The change decreases the size to the original size by
s

inpcb: separate inpcb again to reduce the size of PCB for IPv4

The data size of PCB for IPv4 increased because of the merge of
struct in6pcb. The change decreases the size to the original size by
separating struct inpcb (again). struct in4pcb and in6pcb that embed
struct inpcb are introduced.

Even after the separation, users don't need to realize the separation
and only have to use some macros to access dedicated data. For example,
inp->inp_laddr is now accessed through in4p_laddr(inp).

show more ...

inpcb: integrate data structures of PCB into one

Data structures of network protocol control blocks (PCBs), i.e.,
struct inpcb, in6pcb and inpcb_hdr, are not organized well. Users of
the data struc

inpcb: integrate data structures of PCB into one

Data structures of network protocol control blocks (PCBs), i.e.,
struct inpcb, in6pcb and inpcb_hdr, are not organized well. Users of
the data structures have to handle them separately and thus the code
is cluttered and duplicated.

The commit integrates the data structures into one, struct inpcb. As a
result, users of PCBs only have to handle just one data structure, so
the code becomes simple.

One drawback is that the data size of PCB for IPv4 increases by 40 bytes
(from 248 bytes to 288 bytes).

show more ...

tcp: separate syn cache stuffs into tcp_syncache.[ch] files

No functional change.

fix various typos in comment, documentation and log messages.

fix few typos in comments, mainly s/paramenters/parameters/.

fix typos in asymmetry, asymmetric(al), symmetrical.

fix various typos in comments.

s/threshhold/threshold

Remove the unused "addin" argument (it was always 0) and go back using
a random iss by default (instead of rfc1948)

it's spelled struct tcphdr, not struct tcp_hdr

- Make ALIGNED_POINTER use __alignof(t) instead of sizeof(t). This is more
correct because it works with non-primitive types and provides the ABI
alignment for the type the compiler will use.
- R

- Make ALIGNED_POINTER use __alignof(t) instead of sizeof(t). This is more
correct because it works with non-primitive types and provides the ABI
alignment for the type the compiler will use.
- Remove all the *_HDR_ALIGNMENT macros and asserts
- Replace POINTER_ALIGNED_P with ACCESSIBLE_POINTER which is identical to
ALIGNED_POINTER, but returns that the pointer is always aligned if the
CPU supports unaligned accesses.
[ as proposed in tech-kern ]

show more ...

- centralize header align and pullup into a single inline function
- use a single macro to align pointers and expose the alignment, instead
of hard-coding 3 in 1/2 the macros.
- fix an issue in the

- centralize header align and pullup into a single inline function
- use a single macro to align pointers and expose the alignment, instead
of hard-coding 3 in 1/2 the macros.
- fix an issue in the ipv6 lt2p where it was aligning for ipv4 and pulling
for ipv6.

show more ...

s/occurence/occurrence/

inet: Fix build without ARP

ARP: Use ND rather than our own.

This brings the benefit of Neighbour Unreachability Detection which is
something ARP sorely lacks.

The new timings mirror those of IPv6 and are adjustable via sysct

ARP: Use ND rather than our own.

This brings the benefit of Neighbour Unreachability Detection which is
something ARP sorely lacks.

The new timings mirror those of IPv6 and are adjustable via sysctl(8).
Unlike IPv6 ND, these are global and not per interface.

show more ...

tcp_input: Adjust for ND changes

PR/kern 55567

fix the data-only fast path. RCV.UP and SND.WL1 could be left behind
on long sequences of data only packets. pull them along to avoid relative
sequence wraps.

consistent with FreeBSD

PR/kern 55567

fix the data-only fast path. RCV.UP and SND.WL1 could be left behind
on long sequences of data only packets. pull them along to avoid relative
sequence wraps.

consistent with FreeBSD

addresses second failure mode of PR/kern 55567.

pullup to netbsd-8
pullup to netbsd-9

show more ...

Fix fast path for uni directional transfers
pure ACK case:

drag snd_wl2 along so only newer
ACKs can update the window size.
also avoids the state where snd_wl2
is eventually larger than th_ack and

Fix fast path for uni directional transfers
pure ACK case:

drag snd_wl2 along so only newer
ACKs can update the window size.
also avoids the state where snd_wl2
is eventually larger than th_ack and thus
blocking the window update mechanism and
the connection gets stuck for a loooong
time in the zero sized send window state.

see PR/kern 55567

ok thorpej@, also found in FreeBSD

show more ...

- always set both ip and ip6, otherwise a kernel assertion can be triggered
- move alignment early so that we do less work

Call rtcache_unref() only when the checks succeed, instead of relying on
another NULL check in rtcache_unref().

Because, in order to resolve the address of the second argument, we do a
dereference o

Call rtcache_unref() only when the checks succeed, instead of relying on
another NULL check in rtcache_unref().

Because, in order to resolve the address of the second argument, we do a
dereference on 'tp', which is theoretically allowed to be NULL. The five
callers of nd6_hint() never pass a NULL argument however, so by luck the
actual NULL deref never happens.

Maybe the NULL check on 'tp' in should be replaced to a KASSERT ensuring
it isn't NULL, for clarity.

Reported by kUBSan.

show more ...