Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/external/bsd/ipf/netinet When growing the state, remembe...
details: https://anonhg.NetBSD.org/src/rev/236fbbd4f9c0
branches: trunk
changeset: 356785:236fbbd4f9c0
user: christos <christos%NetBSD.org@localhost>
date: Thu Oct 12 18:27:38 2017 +0000
description:
When growing the state, remember to grow the seed array, otherwise we'll end
up accessing memory we did not allocate.
diffstat:
sys/external/bsd/ipf/netinet/ip_state.c | 65 ++++++++++++++++++++++----------
1 files changed, 45 insertions(+), 20 deletions(-)
diffs (117 lines):
diff -r edcfc4c15865 -r 236fbbd4f9c0 sys/external/bsd/ipf/netinet/ip_state.c
--- a/sys/external/bsd/ipf/netinet/ip_state.c Thu Oct 12 09:53:55 2017 +0000
+++ b/sys/external/bsd/ipf/netinet/ip_state.c Thu Oct 12 18:27:38 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_state.c,v 1.8 2017/07/01 16:34:17 khorben Exp $ */
+/* $NetBSD: ip_state.c,v 1.9 2017/10/12 18:27:38 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@@ -100,7 +100,7 @@
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.8 2017/07/01 16:34:17 khorben Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.9 2017/10/12 18:27:38 christos Exp $");
#else
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_state.c,v 1.1.1.2 2012/07/22 13:45:37 darrenr Exp";
@@ -298,6 +298,32 @@
KFREE(softs);
}
+static void *
+ipf_state_seed_alloc(u_int state_size, u_int state_max)
+{
+ u_int i;
+ u_long *state_seed;
+ KMALLOCS(state_seed, u_long *, state_size * sizeof(*state_seed));
+ if (state_seed == NULL)
+ return NULL;
+
+ for (i = 0; i < state_size; i++) {
+ /*
+ * XXX - ipf_state_seed[X] should be a random number of sorts.
+ */
+#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
+ state_seed[i] = cprng_fast32();
+#else
+ state_seed[i] = ((u_long)state_seed + i) * state_size;
+ state_seed[i] ^= 0xa5a55a5a;
+ state_seed[i] *= state_seed;
+ state_seed[i] ^= 0x5a5aa5a5;
+ state_seed[i] *= state_max;
+#endif
+ }
+ return state_seed;
+}
+
/* ------------------------------------------------------------------------ */
/* Function: ipf_state_soft_init */
@@ -328,27 +354,11 @@
bzero((char *)softs->ipf_state_table,
softs->ipf_state_size * sizeof(ipstate_t *));
- KMALLOCS(softs->ipf_state_seed, u_long *,
- softs->ipf_state_size * sizeof(*softs->ipf_state_seed));
+ softs->ipf_state_seed = ipf_state_seed_alloc(softs->ipf_state_size,
+ softs->ipf_state_max);
if (softs->ipf_state_seed == NULL)
return -2;
- for (i = 0; i < softs->ipf_state_size; i++) {
- /*
- * XXX - ipf_state_seed[X] should be a random number of sorts.
- */
-#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
- softs->ipf_state_seed[i] = cprng_fast32();
-#else
- softs->ipf_state_seed[i] = ((u_long)softs->ipf_state_seed + i) *
- softs->ipf_state_size;
- softs->ipf_state_seed[i] ^= 0xa5a55a5a;
- softs->ipf_state_seed[i] *= (u_long)softs->ipf_state_seed;
- softs->ipf_state_seed[i] ^= 0x5a5aa5a5;
- softs->ipf_state_seed[i] *= softs->ipf_state_max;
-#endif
- }
-
KMALLOCS(softs->ipf_state_stats.iss_bucketlen, u_int *,
softs->ipf_state_size * sizeof(u_int));
if (softs->ipf_state_stats.iss_bucketlen == NULL)
@@ -5137,6 +5147,7 @@
{
ipf_state_softc_t *softs = softc->ipf_state_soft;
ipstate_t **newtab, *is;
+ u_long *newseed;
u_int *bucketlens;
u_int maxbucket;
u_int newsize;
@@ -5163,6 +5174,14 @@
return ENOMEM;
}
+ newseed = ipf_state_seed_alloc(newsize, softs->ipf_state_max);
+ if (newseed == NULL) {
+ KFREES(bucketlens, newsize * sizeof(*bucketlens));
+ KFREES(newtab, newsize * sizeof(*newtab));
+ IPFERROR(100037);
+ return ENOMEM;
+ }
+
for (maxbucket = 0, i = newsize; i > 0; i >>= 1)
maxbucket++;
maxbucket *= 2;
@@ -5178,6 +5197,12 @@
}
softs->ipf_state_table = newtab;
+ if (softs->ipf_state_seed != NULL) {
+ KFREES(softs->ipf_state_seed,
+ softs->ipf_state_size * sizeof(*softs->ipf_state_seed));
+ }
+ softs->ipf_state_seed = newseed;
+
if (softs->ipf_state_stats.iss_bucketlen != NULL) {
KFREES(softs->ipf_state_stats.iss_bucketlen,
softs->ipf_state_size * sizeof(u_int));
Home |
Main Index |
Thread Index |
Old Index