Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7-0]: src/sys/netipsec Pull up following revision(s) (requested b...
details: https://anonhg.NetBSD.org/src/rev/2f696a791563
branches: netbsd-7-0
changeset: 801485:2f696a791563
user: martin <martin%NetBSD.org@localhost>
date: Thu May 03 14:49:50 2018 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #1600):
sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)
Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).
Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.
Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.
diffstat:
sys/netipsec/ipsec_output.c | 30 +++++++++++++++++-------------
1 files changed, 17 insertions(+), 13 deletions(-)
diffs (90 lines):
diff -r e69739c72220 -r 2f696a791563 sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c Tue Apr 17 15:40:11 2018 +0000
+++ b/sys/netipsec/ipsec_output.c Thu May 03 14:49:50 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.40 2013/11/03 18:37:10 mrg Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.40.8.1 2018/05/03 14:49:50 martin Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.40 2013/11/03 18:37:10 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.40.8.1 2018/05/03 14:49:50 martin Exp $");
/*
* IPsec output processing.
@@ -624,7 +624,7 @@
#endif
#ifdef INET6
-static void
+static int
compute_ipsec_pos(struct mbuf *m, int *i, int *off)
{
int nxt;
@@ -641,7 +641,11 @@
* put AH/ESP/IPcomp header.
* IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
*/
- do {
+ while (1) {
+ if (*i + sizeof(ip6e) > m->m_pkthdr.len) {
+ return EINVAL;
+ }
+
switch (nxt) {
case IPPROTO_AH:
case IPPROTO_ESP:
@@ -650,7 +654,7 @@
* we should not skip security header added
* beforehand.
*/
- return;
+ return 0;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
@@ -660,7 +664,7 @@
* we should stop there.
*/
if (nxt == IPPROTO_DSTOPTS && dstopt)
- return;
+ return 0;
if (nxt == IPPROTO_DSTOPTS) {
/*
@@ -680,16 +684,14 @@
m_copydata(m, *i, sizeof(ip6e), &ip6e);
nxt = ip6e.ip6e_nxt;
*off = *i + offsetof(struct ip6_ext, ip6e_nxt);
- /*
- * we will never see nxt == IPPROTO_AH
- * so it is safe to omit AH case.
- */
*i += (ip6e.ip6e_len + 1) << 3;
break;
default:
- return;
+ return 0;
}
- } while (*i < m->m_pkthdr.len);
+ }
+
+ return 0;
}
static int
@@ -791,7 +793,9 @@
i = ip->ip_hl << 2;
off = offsetof(struct ip, ip_p);
} else {
- compute_ipsec_pos(m, &i, &off);
+ error = compute_ipsec_pos(m, &i, &off);
+ if (error)
+ goto bad;
}
error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
splx(s);
Home |
Main Index |
Thread Index |
Old Index