Bug 231045 - ipv6 fragment reassembly broken
Summary: ipv6 fragment reassembly broken
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Kristof Provost
URL:
Keywords: ipv6, regression
: 231050 (view as bug list)
Depends on:
Blocks: 228911
  Show dependency treegraph
 
Reported: 2018-08-31 02:40 UTC by Conrad Meyer
Modified: 2018-10-09 04:56 UTC (History)
11 users (show)

See Also:
koobs: mfc-stable11+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Conrad Meyer freebsd_committer 2018-08-31 02:40:16 UTC
I think the issue is well understood, just want to track the bug in bugzilla so it can be added to 12.0 release blockers.
Comment 1 Conrad Meyer freebsd_committer 2018-08-31 02:41:23 UTC
See svn-src discussion around r337776.
Comment 2 Kurt Jaeger freebsd_committer 2018-08-31 07:58:59 UTC
*** Bug 231050 has been marked as a duplicate of this bug. ***
Comment 3 commit-hook freebsd_committer 2018-08-31 08:38:07 UTC
A commit references this bug:

Author: kp
Date: Fri Aug 31 08:37:15 UTC 2018
New revision: 338406
URL: https://svnweb.freebsd.org/changeset/base/338406

Log:
  frag6: Fix fragment reassembly

  r337776 started hashing the fragments into buckets for faster lookup.

  The hashkey is larger than intended. This results in random stack data being
  included in the hashed data, which in turn means that fragments of the same
  packet might end up in different buckets, causing the reassembly to fail.

  Set the correct size for hashkey.

  PR:		231045
  Approved by:	re (kib)
  MFC after:	3 days

Changes:
  head/sys/netinet6/frag6.c
Comment 4 commit-hook freebsd_committer 2018-09-03 08:57:37 UTC
A commit references this bug:

Author: kp
Date: Mon Sep  3 08:57:09 UTC 2018
New revision: 338442
URL: https://svnweb.freebsd.org/changeset/base/338442

Log:
  MFC r338406:

  frag6: Fix fragment reassembly

  r337776 started hashing the fragments into buckets for faster lookup.

  The hashkey is larger than intended. This results in random stack data being
  included in the hashed data, which in turn means that fragments of the same
  packet might end up in different buckets, causing the reassembly to fail.

  Set the correct size for hashkey.

  PR:		231045

Changes:
_U  stable/11/
  stable/11/sys/netinet6/frag6.c
Comment 5 Xin LI freebsd_committer 2018-09-24 21:27:59 UTC
EN/SA revision candidate.  Reference: https://lists.freebsd.org/pipermail/freebsd-net/2018-September/051667.html
Comment 6 Kurt Jaeger freebsd_committer 2018-09-29 09:45:33 UTC
EN was published:
https://www.freebsd.org/security/advisories/FreeBSD-EN-18:09.ip.asc
Comment 7 Conrad Meyer freebsd_committer 2018-10-09 04:56:33 UTC
Fixed in 12, MFC'd, done?