From 2be2e5908b0ca841a7b1c656fa031890045daa97 Mon Sep 17 00:00:00 2001
From: dlg <dlg@openbsd.org>
Date: Thu, 18 Aug 2016 06:01:10 +0000
Subject: [PATCH] fix panics caused by replacing m_copym2 with m_dup_pkt.

m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec copied the tail of an mbuf if any of the clusters are
shared or readonly, and swapped that tail with the result of m_copym2.

m_dup_pkt panics cos of that.

this makes ipsec duplicate the whole packet if any of the chain is
readonly.

found by naddy@ and mlarkin@
this fix is from visa@ who told me to commit it cos he's afk (sleeping)
tested by naddy@
---
 sys/netinet/ip_ah.c     | 22 +++++++---------------
 sys/netinet/ip_esp.c    | 20 ++++++--------------
 sys/netinet/ip_ipcomp.c | 21 +++++++--------------
 3 files changed, 20 insertions(+), 43 deletions(-)

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 1fc2c149378..222a6ee7ffc 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ah.c,v 1.120 2016/08/15 11:35:25 dlg Exp $ */
+/*	$OpenBSD: ip_ah.c,v 1.121 2016/08/18 06:01:10 dlg Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -929,7 +929,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 	struct auth_hash *ahx = (struct auth_hash *) tdb->tdb_authalgxform;
 	struct cryptodesc *crda;
 	struct tdb_crypto *tc;
-	struct mbuf *mo, *mi;
+	struct mbuf *mi;
 	struct cryptop *crp;
 	u_int16_t iplen;
 	int len, rplen;
@@ -1037,18 +1037,14 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 
 	/*
 	 * Loop through mbuf chain; if we find a readonly mbuf,
-	 * replace the rest of the chain.
+	 * copy the packet.
 	 */
-	mo = NULL;
 	mi = m;
-	while (mi != NULL && !M_READONLY(mi)) {
-		mo = mi;
+	while (mi != NULL && !M_READONLY(mi))
 		mi = mi->m_next;
-	}
 
 	if (mi != NULL) {
-		/* Replace the rest of the mbuf chain. */
-		struct mbuf *n = m_dup_pkt(mi, 0, M_DONTWAIT);
+		struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT);
 
 		if (n == NULL) {
 			ahstat.ahs_hdrops++;
@@ -1056,12 +1052,8 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 			return ENOBUFS;
 		}
 
-		if (mo != NULL)
-			mo->m_next = n;
-		else
-			m = n;
-
-		m_freem(mi);
+		m_freem(m);
+		m = n;
 	}
 
 	/* Inject AH header. */
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 4b44c77c76c..2c7b988e73f 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp.c,v 1.138 2016/08/15 11:35:25 dlg Exp $ */
+/*	$OpenBSD: ip_esp.c,v 1.139 2016/08/18 06:01:10 dlg Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -884,18 +884,14 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 
 	/*
 	 * Loop through mbuf chain; if we find a readonly mbuf,
-	 * replace the rest of the chain.
+	 * copy the packet.
 	 */
-	mo = NULL;
 	mi = m;
-	while (mi != NULL && !M_READONLY(mi)) {
-		mo = mi;
+	while (mi != NULL && !M_READONLY(mi))
 		mi = mi->m_next;
-	}
 
 	if (mi != NULL)	{
-		/* Replace the rest of the mbuf chain. */
-		struct mbuf *n = m_dup_pkt(mi, 0, M_DONTWAIT);
+		struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT);
 
 		if (n == NULL) {
 			DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n",
@@ -906,12 +902,8 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
 			return ENOBUFS;
 		}
 
-		if (mo != NULL)
-			mo->m_next = n;
-		else
-			m = n;
-
-		m_freem(mi);
+		m_freem(m);
+		m = n;
 	}
 
 	/* Inject ESP header. */
diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c
index 27bc2f381cc..120511bf37e 100644
--- a/sys/netinet/ip_ipcomp.c
+++ b/sys/netinet/ip_ipcomp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipcomp.c,v 1.45 2016/08/15 11:35:25 dlg Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.46 2016/08/18 06:01:10 dlg Exp $ */
 
 /*
  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
@@ -373,7 +373,7 @@ ipcomp_output(m, tdb, mp, skip, protoff)
 	struct cryptodesc *crdc = NULL;
 	struct cryptop *crp;
 	struct tdb_crypto *tc;
-	struct mbuf    *mi, *mo;
+	struct mbuf    *mi;
 #ifdef ENCDEBUG
 	char buf[INET6_ADDRSTRLEN];
 #endif
@@ -462,18 +462,14 @@ ipcomp_output(m, tdb, mp, skip, protoff)
 	}
 	/*
 	 * Loop through mbuf chain; if we find a readonly mbuf,
-	 * replace the rest of the chain.
+	 * copy the packet.
 	 */
-	mo = NULL;
 	mi = m;
-	while (mi != NULL && !M_READONLY(mi)) {
-		mo = mi;
+	while (mi != NULL && !M_READONLY(mi))
 		mi = mi->m_next;
-	}
 
 	if (mi != NULL) {
-		/* Replace the rest of the mbuf chain. */
-		struct mbuf    *n = m_dup_pkt(mi, 0, M_DONTWAIT);
+		struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT);
 
 		if (n == NULL) {
 			DPRINTF(("ipcomp_output(): bad mbuf chain, IPCA %s/%08x\n",
@@ -483,12 +479,9 @@ ipcomp_output(m, tdb, mp, skip, protoff)
 			m_freem(m);
 			return ENOBUFS;
 		}
-		if (mo != NULL)
-			mo->m_next = n;
-		else
-			m = n;
 
-		m_freem(mi);
+		m_freem(m);
+		m = n;
 	}
 	/* Ok now, we can pass to the crypto processing */
 
-- 
2.20.1