PR/54572 - Edgar Fuß -- error in comment

Clamp tcp timer quantities to reasonable ranges.

Reported-by: syzbot+259675123340bf46a6de@syzkaller.appspotmail.com

Replace potentially misaligned pointer dereference + htonl() with be32dec()

Reported by kUBSan.

"s/ an an / an /" in comment. No functional change.

Use non-variadic function pointer in protosw::pr_input.

rename toff -> off

rename off -> thlen

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a n

Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)

show more ...

IP6_EXTHDR_GET -> M_REGION_GET, no functional change.

Remove now unused tcpip.h includes. Some were already unused before.

Remove unused ipsec_var.h includes.

Remove the ipre_mlast field and the TRAVERSE macro.

The goal was to store in ipre_mlast the last mbuf of the chain, so that
m_cat could be called on it. But it's not needed, since m_cat already
does

Remove the ipre_mlast field and the TRAVERSE macro.

The goal was to store in ipre_mlast the last mbuf of the chain, so that
m_cat could be called on it. But it's not needed, since m_cat already
does the equivalent of TRAVERSE itself.

If it were needed, there would be a bug, since we don't call TRAVERSE on
ipre_mlast when creating a new reassembly entry.

show more ...

Remove ipsec_copy_policy and ipsec_copy_pcbpolicy. No functional change,
since we used only ipsec_copy_pcbpolicy, and it was a no-op.

Originally we were using ipsec_copy_policy to optimize the IPsec

Remove ipsec_copy_policy and ipsec_copy_pcbpolicy. No functional change,
since we used only ipsec_copy_pcbpolicy, and it was a no-op.

Originally we were using ipsec_copy_policy to optimize the IPsec-PCB
cache: when an ACK was received in response to a SYN, we used to copy the
SP cached in the SYN's PCB into the ACK's PCB, so that
ipsec_getpolicybysock could use the cached SP instead of requerying it.

Then we switched to ipsec_copy_pcbpolicy which has always been a no-op. As
a result the SP cached in the SYN was/is not copied in the ACK, and the
first call to ipsec_getpolicybysock had to query the SP and cache it
itself. It's not totally clear to me why this change was made.

But it has been this way for years, and after a conversation with Ryota
Ozaki it turns out the optimization is not valid anymore due to
MP-ification, so it won't be re-enabled.

ok ozaki-r@

show more ...

Fix the log. mtod never returns NULL, so 'ip' is always non-NULL, and the
'ip6' branch is never taken. As a result we log garbage on IPv6 packets.

Use ip_v instead.

Use consttime_memequal instead of memcmp, to prevent side channels. This
functions returns 1 when the buffers are equal, contrary to memcmp, hence
the !.

tcp_urp_drop: fix a bug introduced in 1.390 rev (hi maxv@).

Remove TCPREASS_DEBUG. It was introduced 20 years ago when the reassembler
was being developed, but it's irrelevant today. Makes the code clearer.

Reorder/Fix comments to clarify.

Remove two more 'else' branches.

Fix memory leak, we may reallocate 'tcp_saveti' after 'findpcb'. It's not
a tragic bug, because it happens only on sockets with debug enabled.

Remove 'else', makes it clearer that we leave.

Clarify with KASSERT.

Simplify the computation:

m->m_pkthdr.len - sizeof(struct tcphdr) - optlen - hlen
= m->m_pkthdr.len - (sizeof(struct tcphdr) + optlen + hlen)
= m->m_pkthdr.len - [tcp_len]
= toff

Several changes in syn_cache_respond:

* Replace idiotic diagnostic check by KASSERT. max_linkhdr+tlen<=MCLBYTES
is a widespread assumption.

* Improve initialization of 'tp'.

* Put panics in

Several changes in syn_cache_respond:

* Replace idiotic diagnostic check by KASSERT. max_linkhdr+tlen<=MCLBYTES
is a widespread assumption.

* Improve initialization of 'tp'.

* Put panics in dead branches.

* Merge two switches.

show more ...

Remove unused variable.