Module Name: src Committed By: martin Date: Thu Feb 15 07:58:04 UTC 2018
Modified Files: src/sys/netipsec [netbsd-8]: xform_ah.c Log Message: Pull up following revision(s) (requested by maxv in ticket #549): sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch Fix use-after-free, 'ah' may not be valid after m_makewritable and ah_massage_headers. Make sure the Authentication Header fits the mbuf chain, otherwise panic. To generate a diff of this commit: cvs rdiff -u -r1.54.2.2 -r1.54.2.3 src/sys/netipsec/xform_ah.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.54.2.2 src/sys/netipsec/xform_ah.c:1.54.2.3 --- src/sys/netipsec/xform_ah.c:1.54.2.2 Fri Jan 26 19:51:19 2018 +++ src/sys/netipsec/xform_ah.c Thu Feb 15 07:58:04 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $ */ +/* $NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -628,6 +628,7 @@ ah_input(struct mbuf *m, struct secasvar int hl, rplen, authsize, error, stat = AH_STAT_HDROPS; struct cryptodesc *crda; struct cryptop *crp = NULL; + uint8_t nxt; IPSEC_SPLASSERT_SOFTNET(__func__); @@ -647,6 +648,8 @@ ah_input(struct mbuf *m, struct secasvar goto bad; } + nxt = ah->ah_nxt; + /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { char buf[IPSEC_LOGSASTRLEN]; @@ -672,6 +675,18 @@ ah_input(struct mbuf *m, struct secasvar error = EACCES; goto bad; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + char buf[IPSEC_ADDRSTRLEN]; + DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long)(skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + stat = AH_STAT_BADAUTHL; + error = EACCES; + goto bad; + } + AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -761,7 +776,7 @@ ah_input(struct mbuf *m, struct secasvar tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = nxt; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_sav = sav;