Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/netipsec Pull up following revision(s) (requested by ...
details: https://anonhg.NetBSD.org/src/rev/e12722b65594
branches: netbsd-8
changeset: 851697:e12722b65594
user: martin <martin%NetBSD.org@localhost>
date: Sat May 05 19:31:33 2018 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #799):
sys/netipsec/ipsec_output.c: revision 1.75
sys/netipsec/ipsec_output.c: revision 1.67
Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).
Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.
Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.
diffstat:
sys/netipsec/ipsec_output.c | 30 +++++++++++++++++-------------
1 files changed, 17 insertions(+), 13 deletions(-)
diffs (90 lines):
diff -r 8b20abdb3764 -r e12722b65594 sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c Sat May 05 19:25:55 2018 +0000
+++ b/sys/netipsec/ipsec_output.c Sat May 05 19:31:33 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.48.2.2 2018/01/02 10:20:34 snj Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.48.2.3 2018/05/05 19:31:33 martin Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.48.2.2 2018/01/02 10:20:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.48.2.3 2018/05/05 19:31:33 martin Exp $");
/*
* IPsec output processing.
@@ -633,7 +633,7 @@
#endif
#ifdef INET6
-static void
+static int
compute_ipsec_pos(struct mbuf *m, int *i, int *off)
{
int nxt;
@@ -650,7 +650,11 @@
* put AH/ESP/IPcomp header.
* IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
*/
- do {
+ while (1) {
+ if (*i + sizeof(ip6e) > m->m_pkthdr.len) {
+ return EINVAL;
+ }
+
switch (nxt) {
case IPPROTO_AH:
case IPPROTO_ESP:
@@ -659,7 +663,7 @@
* we should not skip security header added
* beforehand.
*/
- return;
+ return 0;
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
@@ -669,7 +673,7 @@
* we should stop there.
*/
if (nxt == IPPROTO_DSTOPTS && dstopt)
- return;
+ return 0;
if (nxt == IPPROTO_DSTOPTS) {
/*
@@ -689,16 +693,14 @@
m_copydata(m, *i, sizeof(ip6e), &ip6e);
nxt = ip6e.ip6e_nxt;
*off = *i + offsetof(struct ip6_ext, ip6e_nxt);
- /*
- * we will never see nxt == IPPROTO_AH
- * so it is safe to omit AH case.
- */
*i += (ip6e.ip6e_len + 1) << 3;
break;
default:
- return;
+ return 0;
}
- } while (*i < m->m_pkthdr.len);
+ }
+
+ return 0;
}
static int
@@ -802,7 +804,9 @@
i = ip->ip_hl << 2;
off = offsetof(struct ip, ip_p);
} else {
- compute_ipsec_pos(m, &i, &off);
+ error = compute_ipsec_pos(m, &i, &off);
+ if (error)
+ goto unrefsav;
}
error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
KEY_SA_UNREF(&sav);
Home |
Main Index |
Thread Index |
Old Index