Index: sys/netinet/ip_input.c =================================================================== RCS file: /cvsroot/src/sys/netinet/ip_input.c,v retrieving revision 1.328 diff -p -u -r1.328 ip_input.c --- sys/netinet/ip_input.c 21 Jan 2016 15:41:30 -0000 1.328 +++ sys/netinet/ip_input.c 3 Feb 2016 20:04:38 -0000 @@ -411,12 +411,14 @@ ip_input(struct mbuf *m) return; } } + KASSERT(IP_HDR_ALIGNED_P(mtod(m, void *))); ip = mtod(m, struct ip *); if (ip->ip_v != IPVERSION) { IP_STATINC(IP_STAT_BADVERS); goto bad; } hlen = ip->ip_hl << 2; + KASSERT(IP_HDR_ALIGNED_P(hlen)); if (hlen < sizeof(struct ip)) { /* minimum header length */ IP_STATINC(IP_STAT_BADHLEN); goto bad; @@ -426,6 +428,7 @@ ip_input(struct mbuf *m) IP_STATINC(IP_STAT_BADHLEN); return; } + KASSERT(IP_HDR_ALIGNED_P(mtod(m, void *))); ip = mtod(m, struct ip *); } @@ -530,8 +533,10 @@ ip_input(struct mbuf *m) if (freed || m == NULL) { return; } + KASSERT(IP_HDR_ALIGNED_P(mtod(m, void *))); ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; + KASSERT(IP_HDR_ALIGNED_P(hlen)); /* * XXX The setting of "srcrt" here is to prevent ip_forward() @@ -744,8 +749,10 @@ ours: * Reassembly is done, we have the final packet. * Updated cached data in local variable(s). */ + KASSERT(IP_HDR_ALIGNED_P(mtod(m, void *))); ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; + KASSERT(IP_HDR_ALIGNED_P(hlen)); } #ifdef IPSEC @@ -776,6 +783,9 @@ ours: const int off = hlen, nh = ip->ip_p; + KASSERT(IP_HDR_ALIGNED_P(mtod(m, void *))); + KASSERT(IP_HDR_ALIGNED_P(off)); + SOFTNET_LOCK(); (*inetsw[ip_protox[nh]].pr_input)(m, off, nh); SOFTNET_UNLOCK(); Index: sys/netinet/tcp_input.c =================================================================== RCS file: /cvsroot/src/sys/netinet/tcp_input.c,v retrieving revision 1.344 diff -p -u -r1.344 tcp_input.c --- sys/netinet/tcp_input.c 24 Aug 2015 22:21:26 -0000 1.344 +++ sys/netinet/tcp_input.c 3 Feb 2016 20:04:40 -0000 @@ -1238,6 +1238,11 @@ tcp_input(struct mbuf *m, ...) (void)va_arg(ap, int); /* ignore value, advance ap */ va_end(ap); + KASSERT(IP_HDR_ALIGNED_P(mtod(m, void *))); + KASSERT(IP_HDR_ALIGNED_P(toff)); + KASSERT(TCP_HDR_ALIGNED_P(mtod(m, void *))); + KASSERT(TCP_HDR_ALIGNED_P(toff)); + TCP_STATINC(TCP_STAT_RCVTOTAL); memset(&opti, 0, sizeof(opti)); @@ -1268,6 +1273,7 @@ tcp_input(struct mbuf *m, ...) * Get IP and TCP header. * Note: IP leaves IP header in first mbuf. */ + KASSERT(IP_HDR_ALIGNED_P(mtod(m, void *))); ip = mtod(m, struct ip *); switch (ip->ip_v) { #ifdef INET @@ -1277,12 +1283,15 @@ tcp_input(struct mbuf *m, ...) #endif af = AF_INET; iphlen = sizeof(struct ip); + KASSERT(TCP_HDR_ALIGNED_P(mtod(m, void *))); + KASSERT(TCP_HDR_ALIGNED_P(toff)); IP6_EXTHDR_GET(th, struct tcphdr *, m, toff, sizeof(struct tcphdr)); if (th == NULL) { TCP_STATINC(TCP_STAT_RCVSHORT); return; } + KASSERT(TCP_HDR_ALIGNED_P(th)); /* We do the checksum after PCB lookup... */ len = ntohs(ip->ip_len); tlen = len - toff; @@ -1295,12 +1304,15 @@ tcp_input(struct mbuf *m, ...) iphlen = sizeof(struct ip6_hdr); af = AF_INET6; ip6 = mtod(m, struct ip6_hdr *); + KASSERT(TCP_HDR_ALIGNED_P(mtod(m, void *))); + KASSERT(TCP_HDR_ALIGNED_P(toff)); IP6_EXTHDR_GET(th, struct tcphdr *, m, toff, sizeof(struct tcphdr)); if (th == NULL) { TCP_STATINC(TCP_STAT_RCVSHORT); return; } + KASSERT(TCP_HDR_ALIGNED_P(th)); /* Be proactive about malicious use of IPv4 mapped address */ if (IN6_IS_ADDR_V4MAPPED(&ip6->ip6_src) ||