CVS commit: src/sys/netipsec

[Maxime Villard]

Module Name:    src
Committed By:   maxv
Date:           Wed Feb 21 16:55:53 UTC 2018

Modified Files:
        src/sys/netipsec: ipsec_output.c

Log Message:
Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).


To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 src/sys/netipsec/ipsec_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.66 src/sys/netipsec/ipsec_output.c:1.67
--- src/sys/netipsec/ipsec_output.c:1.66	Thu Feb  8 20:57:41 2018
+++ src/sys/netipsec/ipsec_output.c	Wed Feb 21 16:55:53 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.66 2018/02/08 20:57:41 maxv Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.67 2018/02/21 16:55:53 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.66 2018/02/08 20:57:41 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.67 2018/02/21 16:55:53 maxv Exp $");
 
 /*
  * IPsec output processing.
@@ -696,7 +696,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
 		default:
 			return;
 		}
-	} while (*i < m->m_pkthdr.len);
+	} while (*i + sizeof(ip6e) < m->m_pkthdr.len);
 }
 
 static int