The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=10eb2a2bde616e52ae2939df90c04483383a34f7
commit 10eb2a2bde616e52ae2939df90c04483383a34f7 Author: Mark Johnston <[email protected]> AuthorDate: 2021-09-10 13:07:59 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2021-09-10 13:09:00 +0000 ipsec: Validate the protocol identifier in ipsec4_ctlinput() key_allocsa() expects to handle only IPSec protocols and has an assertion to this effect. However, ipsec4_ctlinput() has to handle messages from ICMP unreachable packets and was not validating the protocol number. In practice such a packet would simply fail to match any SADB entries and would thus be ignored. Reported by: [email protected] Reviewed by: ae MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31890 --- sys/netipsec/ipsec_input.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 07a3ef583be8..73202cbb528b 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -276,6 +276,7 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v) struct icmp *icp; struct ip *ip = v; uint32_t pmtu, spi; + uint8_t proto; if (code != PRC_MSGSIZE || ip == NULL) return (EINVAL); @@ -289,8 +290,13 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v) if (pmtu < V_ip4_ipsec_min_pmtu) return (EINVAL); + proto = ip->ip_p; + if (proto != IPPROTO_ESP && proto != IPPROTO_AH && + proto != IPPROTO_IPCOMP) + return (EINVAL); + memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi)); - sav = key_allocsa((union sockaddr_union *)sa, ip->ip_p, spi); + sav = key_allocsa((union sockaddr_union *)sa, proto, spi); if (sav == NULL) return (ENOENT); _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
