Module Name: src
Committed By: spz
Date: Fri Apr 1 08:29:30 UTC 2011
Modified Files:
src/sys/netipsec: xform_ipcomp.c
Log Message:
mitigation for CVE-2011-1024
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/sys/netipsec/xform_ipcomp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.25 src/sys/netipsec/xform_ipcomp.c:1.26
--- src/sys/netipsec/xform_ipcomp.c:1.25 Thu Feb 24 20:03:41 2011
+++ src/sys/netipsec/xform_ipcomp.c Fri Apr 1 08:29:29 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipcomp.c,v 1.25 2011/02/24 20:03:41 drochner Exp $ */
+/* $NetBSD: xform_ipcomp.c,v 1.26 2011/04/01 08:29:29 spz Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.25 2011/02/24 20:03:41 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.26 2011/04/01 08:29:29 spz Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#include "opt_inet.h"
@@ -326,6 +326,14 @@
/* Keep the next protocol field */
addr = (uint8_t*) mtod(m, struct ip *) + skip;
nproto = ((struct ipcomp *) addr)->comp_nxt;
+ if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) {
+ IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
+ DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n",
+ ipsec_address(&sav->sah->saidx.dst),
+ (u_long) ntohl(sav->spi)));
+ error = EINVAL;
+ goto bad;
+ }
/* Remove the IPCOMP header */
error = m_striphdr(m, skip, hlen);
