Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-8]: src/sys/netipsec Pull up following revision(s) (requested by ...



details:   https://anonhg.NetBSD.org/src/rev/ee8c992514c3
branches:  netbsd-8
changeset: 851538:ee8c992514c3
user:      martin <martin%NetBSD.org@localhost>
date:      Sat Mar 31 10:46:20 2018 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #677):

        sys/netipsec/ipsec_input.c: revision 1.55

Fix the iteration: IPPROTO_FRAGMENT options are special, in the sense
that they don't have a 'length' field. It is therefore incorrect to
read ip6e.ip6e_len, it contains garbage.

I'm not sure whether this an exploitable vulnerability. Because of this
bug you could theoretically craft 'protoff', which means that you can
have the kernel patch the nxt value at the wrong place once the packet
is decrypted. Perhaps it can be used in some unusual MITM - a router that
happens to be between two IPsec hosts adds a frag6 option in the outer
IPv6 header to trigger the bug in the receiver -, but I couldn't come up
with anything worrying.

diffstat:

 sys/netipsec/ipsec_input.c |  6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diffs (27 lines):

diff -r 3e458e01edc5 -r ee8c992514c3 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c        Sat Mar 31 10:41:06 2018 +0000
+++ b/sys/netipsec/ipsec_input.c        Sat Mar 31 10:46:20 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_input.c,v 1.43.2.4 2018/03/30 11:45:58 martin Exp $      */
+/*     $NetBSD: ipsec_input.c,v 1.43.2.5 2018/03/31 10:46:20 martin Exp $      */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
 /*     $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $        */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.43.2.4 2018/03/30 11:45:58 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.43.2.5 2018/03/31 10:46:20 martin Exp $");
 
 /*
  * IPsec input processing.
@@ -507,6 +507,8 @@
 
                        if (nxt == IPPROTO_AH)
                                l = (ip6e.ip6e_len + 2) << 2;
+                       else if (nxt == IPPROTO_FRAGMENT)
+                               l = sizeof(struct ip6_frag);
                        else
                                l = (ip6e.ip6e_len + 1) << 3;
                        KASSERT(l > 0);



Home | Main Index | Thread Index | Old Index