CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/07/14 07:08:20
Modified files:
sys/crypto : Tag: OPENBSD_7_8 cryptosoft.c
sys/netinet : Tag: OPENBSD_7_8 ip_ah.c ipsec_input.c
Log message:
Handle allocation failure and track correct mbuf length in IPComp.
In swcr_compdec() m_copyback(M_NOWAIT) may fail, but the error is
not checked. The mbuf chain could be too short, but the expected
length is returned as result. Then ipcomp_input() will not set
m->m_pkthdr.len to the actual length of the mbuf chain. This only
affects decompression, other cases do not need additional memory
for enlarging.
from bluhm@; OK deraadt@
IPComp decompression must not overflow mbuf cluster.
Check after decompressing an IPComp packet, that the content fits
into a mbuf cluster. m_copyback() assumes that it can allocate a
single mbuf cluster to enlarge the mbuf chain. That means the
decompressed data must not exceed MAXMCLBYTES. Prevent panic:
m_clget: request for 67948 byte cluster.
from bluhm@; reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
IPsec AH must contain replay counter.
Before reading the replay counter from packet header in ah_input(),
make sure that the mbuf is long enough. Prevents panic: m_copydata:
null mbuf.
from bluhm@; reported by Homura Akemi, SecBuddyF, Tencent KeenLab; OK mvs@
In ipsec_common_input_cb() ensure that the packet size does not overflow
the maximum packet size before writing the value back to the IP header.
IPv4 and IPv6 have slightly different rules and so do it per AF.
from claudio@; OK millert@
errata/7.8/043_ipsec.patch.sig