CVS commit: [netbsd-7] src/sys/netipsec

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: [netbsd-7] src/sys/netipsec
From: "Martin Husemann" <martin%netbsd.org@localhost>
Date: Tue, 17 Apr 2018 15:10:53 +0000

Module Name:    src
Committed By:   martin
Date:           Tue Apr 17 15:10:53 UTC 2018

Modified Files:
        src/sys/netipsec [netbsd-7]: ipsec_mbuf.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1599):

        sys/netipsec/ipsec_mbuf.c: revision 1.23,1.24 (via patch)

Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
should, but it looks like there are several places that can put M_PKTHDR
on secondary mbufs (PR/53189), so drop this assumption right now to
prevent further bugs.

The check is replaced by (m1 != m), which is equivalent to the previous
code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
m_adj().

Fix a pretty bad mistake, that has always been there.

                m_adj(m1, -(m1->m_len - roff));
                if (m1 != m)
                        m->m_pkthdr.len -= (m1->m_len - roff);

This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
when manually adjusting m->m_pkthdr.len.

Because of that, it is possible to exploit the attack I described in
uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
reliably.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.30.1 src/sys/netipsec/ipsec_mbuf.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: [netbsd-8] src/sys/netipsec
Next by Date: CVS commit: src/sbin/nvmectl
Previous by Thread: CVS commit: [netbsd-8] src/sys/netipsec
Next by Thread: CVS commit: src/sbin/nvmectl
Indexes:

Home | Main Index | Thread Index | Old Index