netbsd-bugs: kern/36038: Byte order problem for SADB_GETSPI in FAST

Subject: kern/36038: Byte order problem for SADB_GETSPI in FAST_IPSEC
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Karl Knutsson <karl.knutsson@ericsson.com>
List: netbsd-bugs
Date: 03/19/2007 12:40:00
>Number:         36038
>Category:       kern
>Synopsis:       Byte order problem for SADB_GETSPI in FAST_IPSEC
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Mar 19 12:40:00 +0000 2007
>Originator:     Karl Knutsson <karl.knutsson@ericsson.com>
>Release:        NetBSD 3.0
>Organization:
LM Ericsson
>Environment:
System: NetBSD zuul 3.0.0_STABLE NetBSD 3.0.0_STABLE (SPEED) #0: Mon Sep 18 16:59:06 CEST 2006
Architecture: i386
Machine: i386
>Description:
When key_do_getnewspi generates new spis it calls key_checkspidup to verify 
that the spi isn't already used. The problem is that it does it when 
the spi is in host order (it is converted in key_getspi). This makes it 
possible to generate SAs with the same destination, protocol and spi.
>How-To-Repeat:
Send a series of SADB_GETSPI commands with the same protocol and destination
address (should be the address of a local interface) and supply the 
SADB_EXT_SPIRANGE extensions with sadb_spirange_min and sadb_spirange_max 
set to  9999.  
# setkey -D  
192.168.0.2 192.168.66.2 
        esp mode=any spi=9999(0x0000270f) reqid=0(0x00000000)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval 
        sadb_seq=4 pid=103 refcnt=1
192.168.0.2 192.168.66.2 
        esp mode=any spi=9999(0x0000270f) reqid=0(0x00000000)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval 
        sadb_seq=3 pid=103 refcnt=1
192.168.0.2 192.168.66.2 
        esp mode=any spi=9999(0x0000270f) reqid=0(0x00000000)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval 
        sadb_seq=2 pid=103 refcnt=1
192.168.0.2 192.168.66.2 
        esp mode=any spi=9999(0x0000270f) reqid=0(0x00000000)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval 
        sadb_seq=1 pid=103 refcnt=1
192.168.0.2 192.168.66.2 
        esp mode=any spi=9999(0x0000270f) reqid=0(0x00000000)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval 
        sadb_seq=0 pid=103 refcnt=1

>Fix:
Index: key.c
===================================================================
RCS file: /cvsroot/src/sys/netipsec/key.c,v
retrieving revision 1.23
diff -u -r1.23 key.c
--- key.c       28 Feb 2005 17:47:50 -0000      1.23
+++ key.c       16 Mar 2007 09:09:04 -0000
@@ -4826,7 +4826,7 @@
        }
 
        if (min == max) {
-               if (key_checkspidup(saidx, min) != NULL) {
+               if (key_checkspidup(saidx, htonl(min)) != NULL) {
                        ipseclog((LOG_DEBUG, "key_do_getnewspi: SPI %u exists al
ready.\n", min));
                        return 0;
                }
@@ -4844,7 +4844,7 @@
                        /* generate pseudo-random SPI value ranged. */
                        newspi = min + (key_random() % (max - min + 1));
 
-                       if (key_checkspidup(saidx, newspi) == NULL)
+                       if (key_checkspidup(saidx, htonl(newspi)) == NULL)
                                break;
                }