Module Name:    src
Committed By:   maxv
Date:           Thu Feb 15 07:38:46 UTC 2018

Modified Files:
        src/sys/netipsec: xform_ah.c

Log Message:
Make sure the Authentication Header fits the mbuf chain, otherwise panic.


To generate a diff of this commit:
cvs rdiff -u -r1.80 -r1.81 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.80 src/sys/netipsec/xform_ah.c:1.81
--- src/sys/netipsec/xform_ah.c:1.80	Thu Feb 15 07:16:05 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 07:38:46 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.80 2018/02/15 07:16:05 maxv Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.81 2018/02/15 07:38:46 maxv Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.80 2018/02/15 07:16:05 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.81 2018/02/15 07:38:46 maxv Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -670,6 +670,17 @@ ah_input(struct mbuf *m, struct secasvar
 		error = EACCES;
 		goto bad;
 	}
+	if (skip + authsize + rplen > m->m_pkthdr.len) {
+		char buf[IPSEC_ADDRSTRLEN];
+		DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
+			" for packet in SA %s/%08lx\n", __func__,
+			m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
+			ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+			(u_long) ntohl(sav->spi)));
+		stat = AH_STAT_BADAUTHL;
+		error = EACCES;
+		goto bad;
+	}
 
 	AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
 

Reply via email to