CVS commit: [netbsd-5] src/sys

Julian Coleman Sat, 02 Apr 2011 23:08:44 -0700

Module Name:    src
Committed By:   jdc
Date:           Sun Apr  3 06:08:35 UTC 2011


Modified Files:
        src/sys/netinet6 [netbsd-5]: ipcomp_input.c
        src/sys/netipsec [netbsd-5]: xform_ipcomp.c

Log Message:
Pull up:
  src/sys/netinet6/ipcomp_input.c  revision 1.37
  src/sys/netipsec/xform_ipcomp.c  revision 1.26

(requested by spz in ticket #1590).

mitigation for CVE-2011-1547


To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.36.10.1 src/sys/netinet6/ipcomp_input.c
cvs rdiff -u -r1.18 -r1.18.12.1 src/sys/netipsec/xform_ipcomp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.36 src/sys/netinet6/ipcomp_input.c:1.36.10.1
--- src/sys/netinet6/ipcomp_input.c:1.36	Mon May  5 13:41:30 2008
+++ src/sys/netinet6/ipcomp_input.c	Sun Apr  3 06:08:35 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipcomp_input.c,v 1.36 2008/05/05 13:41:30 ad Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.36.10.1 2011/04/03 06:08:35 jdc Exp $	*/
 /*	$KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.36 2008/05/05 13:41:30 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.36.10.1 2011/04/03 06:08:35 jdc Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -148,6 +148,13 @@
 	ipcomp = mtod(md, struct ipcomp *);
 	ip = mtod(m, struct ip *);
 	nxt = ipcomp->comp_nxt;
+	if (nxt == IPPROTO_IPCOMP || nxt == IPPROTO_AH || nxt == IPPROTO_ESP) {
+		/* nested ipcomp - possible attack, not likely useful */
+		ipseclog((LOG_DEBUG, "IPv4 IPComp input: nested ipcomp "
+		    "(bailing)\n"));
+		IPSEC_STATINC(IPSEC_STAT_IN_INVAL);
+		goto fail;
+	}
 	hlen = ip->ip_hl << 2;
 
 	cpi = ntohs(ipcomp->comp_cpi);

Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.18 src/sys/netipsec/xform_ipcomp.c:1.18.12.1
--- src/sys/netipsec/xform_ipcomp.c:1.18	Wed Apr 23 06:09:05 2008
+++ src/sys/netipsec/xform_ipcomp.c	Sun Apr  3 06:08:35 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $	*/
+/*	$NetBSD: xform_ipcomp.c,v 1.18.12.1 2011/04/03 06:08:35 jdc Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
 
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.18 2008/04/23 06:09:05 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.18.12.1 2011/04/03 06:08:35 jdc Exp $");
 
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #include "opt_inet.h"
@@ -318,6 +318,14 @@
 	/* Keep the next protocol field */
 	addr = (uint8_t*) mtod(m, struct ip *) + skip;
 	nproto = ((struct ipcomp *) addr)->comp_nxt;
+	if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) {
+		IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
+		DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n",
+			 ipsec_address(&sav->sah->saidx.dst),
+			 (u_long) ntohl(sav->spi)));
+		error = EINVAL;
+		goto bad;
+	}
 
 	/* Remove the IPCOMP header */
 	error = m_striphdr(m, skip, hlen);

CVS commit: [netbsd-5] src/sys

Reply via email to