Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/netipsec Pull up following revision(s) (requested by ...
details: https://anonhg.NetBSD.org/src/rev/bd1c27cd3f2b
branches: netbsd-8
changeset: 851372:bd1c27cd3f2b
user: martin <martin%NetBSD.org@localhost>
date: Thu Feb 15 07:58:04 2018 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #549):
sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch
Fix use-after-free, 'ah' may not be valid after m_makewritable and
ah_massage_headers.
Make sure the Authentication Header fits the mbuf chain, otherwise panic.
diffstat:
sys/netipsec/xform_ah.c | 21 ++++++++++++++++++---
1 files changed, 18 insertions(+), 3 deletions(-)
diffs (63 lines):
diff -r 99e91ecfd041 -r bd1c27cd3f2b sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c Thu Feb 15 07:52:17 2018 +0000
+++ b/sys/netipsec/xform_ah.c Thu Feb 15 07:58:04 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $ */
+/* $NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -628,6 +628,7 @@
int hl, rplen, authsize, error, stat = AH_STAT_HDROPS;
struct cryptodesc *crda;
struct cryptop *crp = NULL;
+ uint8_t nxt;
IPSEC_SPLASSERT_SOFTNET(__func__);
@@ -647,6 +648,8 @@
goto bad;
}
+ nxt = ah->ah_nxt;
+
/* Check replay window, if applicable. */
if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
char buf[IPSEC_LOGSASTRLEN];
@@ -672,6 +675,18 @@
error = EACCES;
goto bad;
}
+ if (skip + authsize + rplen > m->m_pkthdr.len) {
+ char buf[IPSEC_ADDRSTRLEN];
+ DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
+ " for packet in SA %s/%08lx\n", __func__,
+ m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
+ ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+ (u_long) ntohl(sav->spi)));
+ stat = AH_STAT_BADAUTHL;
+ error = EACCES;
+ goto bad;
+ }
+
AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
/* Get crypto descriptors. */
@@ -761,7 +776,7 @@
tc->tc_spi = sav->spi;
tc->tc_dst = sav->sah->saidx.dst;
tc->tc_proto = sav->sah->saidx.proto;
- tc->tc_nxt = ah->ah_nxt;
+ tc->tc_nxt = nxt;
tc->tc_protoff = protoff;
tc->tc_skip = skip;
tc->tc_sav = sav;
Home |
Main Index |
Thread Index |
Old Index