svn commit: r338978 - in releng: 11.1 11.1/sys/conf 11.1/sys/netinet6 11.2 11.2/sys/conf 11.2/sys/netinet6

Gordon Tetlow gordon at FreeBSD.org
Thu Sep 27 18:29:57 UTC 2018 

Author: gordon
Date: Thu Sep 27 18:29:55 2018
New Revision: 338978
URL: https://svnweb.freebsd.org/changeset/base/338978

Log:
  Fix regression in IPv6 fragment reassembly. [EN-18:09.ip]
  
  Approved by:	so
  Security:	FreeBSD-EN-18:09.ip

Modified:
  releng/11.1/UPDATING
  releng/11.1/sys/conf/newvers.sh
  releng/11.1/sys/netinet6/frag6.c
  releng/11.2/UPDATING
  releng/11.2/sys/conf/newvers.sh
  releng/11.2/sys/netinet6/frag6.c

Modified: releng/11.1/UPDATING
==============================================================================
--- releng/11.1/UPDATING	Thu Sep 27 18:14:01 2018	(r338977)
+++ releng/11.1/UPDATING	Thu Sep 27 18:29:55 2018	(r338978)
@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and 
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.
 
+20180927	p15	FreeBSD-EN-18:09.ip
+			FreeBSD-EN-18:10.syscall
+			FreeBSD-EN-18:11.listen
+			FreeBSD-EN-18:12.mem
+
+	Fix regression in IPv6 fragment reassembly. [EN-18:09.ip]
+
+	Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall]
+
+	Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen]
+
+	Fix small kernel memory disclosures. [EN-18:12.mem]
+
 20180912	p14	FreeBSD-SA-18:12.elf
 			FreeBSD-EN-18:08.lazyfpu
 

Modified: releng/11.1/sys/conf/newvers.sh
==============================================================================
--- releng/11.1/sys/conf/newvers.sh	Thu Sep 27 18:14:01 2018	(r338977)
+++ releng/11.1/sys/conf/newvers.sh	Thu Sep 27 18:29:55 2018	(r338978)
@@ -44,7 +44,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.1"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/11.1/sys/netinet6/frag6.c
==============================================================================
--- releng/11.1/sys/netinet6/frag6.c	Thu Sep 27 18:14:01 2018	(r338977)
+++ releng/11.1/sys/netinet6/frag6.c	Thu Sep 27 18:29:55 2018	(r338978)
@@ -216,7 +216,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
 	int offset = *offp, nxt, i, next;
 	int first_frag = 0;
 	int fragoff, frgpartlen;	/* must be larger than u_int16_t */
-	uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp;
+	uint32_t hashkey[(sizeof(struct in6_addr) * 2 +
+		    sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)];
+	uint32_t hash, *hashkeyp;
 	struct ifnet *dstifp;
 	u_int8_t ecn, ecn0;
 #ifdef RSS

Modified: releng/11.2/UPDATING
==============================================================================
--- releng/11.2/UPDATING	Thu Sep 27 18:14:01 2018	(r338977)
+++ releng/11.2/UPDATING	Thu Sep 27 18:29:55 2018	(r338978)
@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and 
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.
 
+20180927	p4	FreeBSD-EN-18:09.ip
+			FreeBSD-EN-18:10.syscall
+			FreeBSD-EN-18:11.listen
+			FreeBSD-EN-18:12.mem
+
+	Fix regression in IPv6 fragment reassembly. [EN-18:09.ip]
+
+	Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall]
+
+	Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen]
+
+	Fix small kernel memory disclosures. [EN-18:12.mem]
+
 20180912	p3	FreeBSD-SA-18:12.elf
 			FreeBSD-EN-18:08.lazyfpu
 

Modified: releng/11.2/sys/conf/newvers.sh
==============================================================================
--- releng/11.2/sys/conf/newvers.sh	Thu Sep 27 18:14:01 2018	(r338977)
+++ releng/11.2/sys/conf/newvers.sh	Thu Sep 27 18:29:55 2018	(r338978)
@@ -44,7 +44,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.2"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/11.2/sys/netinet6/frag6.c
==============================================================================
--- releng/11.2/sys/netinet6/frag6.c	Thu Sep 27 18:14:01 2018	(r338977)
+++ releng/11.2/sys/netinet6/frag6.c	Thu Sep 27 18:29:55 2018	(r338978)
@@ -216,7 +216,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
 	int offset = *offp, nxt, i, next;
 	int first_frag = 0;
 	int fragoff, frgpartlen;	/* must be larger than u_int16_t */
-	uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp;
+	uint32_t hashkey[(sizeof(struct in6_addr) * 2 +
+		    sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)];
+	uint32_t hash, *hashkeyp;
 	struct ifnet *dstifp;
 	u_int8_t ecn, ecn0;
 #ifdef RSS

More information about the svn-src-all mailing list