Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-8]: src/sys/netipsec Pull up following revision(s) (requested by ...



details:   https://anonhg.NetBSD.org/src/rev/e12722b65594
branches:  netbsd-8
changeset: 851697:e12722b65594
user:      martin <martin%NetBSD.org@localhost>
date:      Sat May 05 19:31:33 2018 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #799):

        sys/netipsec/ipsec_output.c: revision 1.75
        sys/netipsec/ipsec_output.c: revision 1.67

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

diffstat:

 sys/netipsec/ipsec_output.c |  30 +++++++++++++++++-------------
 1 files changed, 17 insertions(+), 13 deletions(-)

diffs (90 lines):

diff -r 8b20abdb3764 -r e12722b65594 sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c       Sat May 05 19:25:55 2018 +0000
+++ b/sys/netipsec/ipsec_output.c       Sat May 05 19:31:33 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_output.c,v 1.48.2.2 2018/01/02 10:20:34 snj Exp $        */
+/*     $NetBSD: ipsec_output.c,v 1.48.2.3 2018/05/05 19:31:33 martin Exp $     */
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.48.2.2 2018/01/02 10:20:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.48.2.3 2018/05/05 19:31:33 martin Exp $");
 
 /*
  * IPsec output processing.
@@ -633,7 +633,7 @@
 #endif
 
 #ifdef INET6
-static void
+static int
 compute_ipsec_pos(struct mbuf *m, int *i, int *off)
 {
        int nxt;
@@ -650,7 +650,11 @@
         * put AH/ESP/IPcomp header.
         *  IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
         */
-       do {
+       while (1) {
+               if (*i + sizeof(ip6e) > m->m_pkthdr.len) {
+                       return EINVAL;
+               }
+
                switch (nxt) {
                case IPPROTO_AH:
                case IPPROTO_ESP:
@@ -659,7 +663,7 @@
                 * we should not skip security header added
                 * beforehand.
                 */
-                       return;
+                       return 0;
 
                case IPPROTO_HOPOPTS:
                case IPPROTO_DSTOPTS:
@@ -669,7 +673,7 @@
                 * we should stop there.
                 */
                        if (nxt == IPPROTO_DSTOPTS && dstopt)
-                               return;
+                               return 0;
 
                        if (nxt == IPPROTO_DSTOPTS) {
                                /*
@@ -689,16 +693,14 @@
                        m_copydata(m, *i, sizeof(ip6e), &ip6e);
                        nxt = ip6e.ip6e_nxt;
                        *off = *i + offsetof(struct ip6_ext, ip6e_nxt);
-                       /*
-                        * we will never see nxt == IPPROTO_AH
-                        * so it is safe to omit AH case.
-                        */
                        *i += (ip6e.ip6e_len + 1) << 3;
                        break;
                default:
-                       return;
+                       return 0;
                }
-       } while (*i < m->m_pkthdr.len);
+       }
+
+       return 0;
 }
 
 static int
@@ -802,7 +804,9 @@
                i = ip->ip_hl << 2;
                off = offsetof(struct ip, ip_p);
        } else {        
-               compute_ipsec_pos(m, &i, &off);
+               error = compute_ipsec_pos(m, &i, &off);
+               if (error)
+                       goto unrefsav;
        }
        error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
        KEY_SA_UNREF(&sav);



Home | Main Index | Thread Index | Old Index