CVS commit: [netbsd-8] src/sys/netipsec

Wed, 14 Feb 2018 23:58:51 -0800 

Module Name:    src
Committed By:   martin
Date:           Thu Feb 15 07:58:04 UTC 2018

Modified Files:
        src/sys/netipsec [netbsd-8]: xform_ah.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #549):
        sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch

Fix use-after-free, 'ah' may not be valid after m_makewritable and
ah_massage_headers.

Make sure the Authentication Header fits the mbuf chain, otherwise panic.


To generate a diff of this commit:
cvs rdiff -u -r1.54.2.2 -r1.54.2.3 src/sys/netipsec/xform_ah.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.54.2.2 src/sys/netipsec/xform_ah.c:1.54.2.3
--- src/sys/netipsec/xform_ah.c:1.54.2.2	Fri Jan 26 19:51:19 2018
+++ src/sys/netipsec/xform_ah.c	Thu Feb 15 07:58:04 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $	*/
+/*	$NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -628,6 +628,7 @@ ah_input(struct mbuf *m, struct secasvar
 	int hl, rplen, authsize, error, stat = AH_STAT_HDROPS;
 	struct cryptodesc *crda;
 	struct cryptop *crp = NULL;
+	uint8_t nxt;
 
 	IPSEC_SPLASSERT_SOFTNET(__func__);
 
@@ -647,6 +648,8 @@ ah_input(struct mbuf *m, struct secasvar
 		goto bad;
 	}
 
+	nxt = ah->ah_nxt;
+
 	/* Check replay window, if applicable. */
 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
 		char buf[IPSEC_LOGSASTRLEN];
@@ -672,6 +675,18 @@ ah_input(struct mbuf *m, struct secasvar
 		error = EACCES;
 		goto bad;
 	}
+	if (skip + authsize + rplen > m->m_pkthdr.len) {
+		char buf[IPSEC_ADDRSTRLEN];
+		DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
+			" for packet in SA %s/%08lx\n", __func__,
+			m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
+			ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+			(u_long) ntohl(sav->spi)));
+		stat = AH_STAT_BADAUTHL;
+		error = EACCES;
+		goto bad;
+	}
+
 	AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
 
 	/* Get crypto descriptors. */
@@ -761,7 +776,7 @@ ah_input(struct mbuf *m, struct secasvar
 	tc->tc_spi = sav->spi;
 	tc->tc_dst = sav->sah->saidx.dst;
 	tc->tc_proto = sav->sah->saidx.proto;
-	tc->tc_nxt = ah->ah_nxt;
+	tc->tc_nxt = nxt;
 	tc->tc_protoff = protoff;
 	tc->tc_skip = skip;
 	tc->tc_sav = sav;

Reply via email to