Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec Fix the iteration: IPPROTO_FRAGMENT options are...
details: https://anonhg.NetBSD.org/src/rev/22b594b70aa5
branches: trunk
changeset: 358981:22b594b70aa5
user: maxv <maxv%NetBSD.org@localhost>
date: Wed Jan 24 14:28:13 2018 +0000
description:
Fix the iteration: IPPROTO_FRAGMENT options are special, in the sense
that they don't have a 'length' field. It is therefore incorrect to
read ip6e.ip6e_len, it contains garbage.
I'm not sure whether this an exploitable vulnerability. Because of this
bug you could theoretically craft 'protoff', which means that you can
have the kernel patch the nxt value at the wrong place once the packet
is decrypted. Perhaps it can be used in some unusual MITM - a router that
happens to be between two IPsec hosts adds a frag6 option in the outer
IPv6 header to trigger the bug in the receiver -, but I couldn't come up
with anything worrying.
diffstat:
sys/netipsec/ipsec_input.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diffs (27 lines):
diff -r f411a1b93725 -r 22b594b70aa5 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c Wed Jan 24 14:01:40 2018 +0000
+++ b/sys/netipsec/ipsec_input.c Wed Jan 24 14:28:13 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.54 2018/01/24 14:01:40 maxv Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.55 2018/01/24 14:28:13 maxv Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.54 2018/01/24 14:01:40 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.55 2018/01/24 14:28:13 maxv Exp $");
/*
* IPsec input processing.
@@ -507,6 +507,8 @@
if (nxt == IPPROTO_AH)
l = (ip6e.ip6e_len + 2) << 2;
+ else if (nxt == IPPROTO_FRAGMENT)
+ l = sizeof(struct ip6_frag);
else
l = (ip6e.ip6e_len + 1) << 3;
KASSERT(l > 0);
Home |
Main Index |
Thread Index |
Old Index