PR/53189 CVS commit: [netbsd-8] src/sys/netipsec

["Martin Husemann" <martin%netbsd.org@localhost>]

The following reply was made to PR kern/53189; it has been noted by GNATS.

From: "Martin Husemann" <martin%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/53189 CVS commit: [netbsd-8] src/sys/netipsec
Date: Tue, 17 Apr 2018 15:06:20 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Tue Apr 17 15:06:20 UTC 2018
 
 Modified Files:
 	src/sys/netipsec [netbsd-8]: ipsec_mbuf.c
 
 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #773):
 
 	sys/netipsec/ipsec_mbuf.c: revision 1.23,1.24
 
 Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
 should, but it looks like there are several places that can put M_PKTHDR
 on secondary mbufs (PR/53189), so drop this assumption right now to
 prevent further bugs.
 
 The check is replaced by (m1 != m), which is equivalent to the previous
 code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
 m_adj().
 
 Fix a pretty bad mistake, that has always been there.
 
 		m_adj(m1, -(m1->m_len - roff));
 		if (m1 != m)
 			m->m_pkthdr.len -= (m1->m_len - roff);
 
 This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
 when manually adjusting m->m_pkthdr.len.
 
 Because of that, it is possible to exploit the attack I described in
 uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
 reliably.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.16 -r1.16.2.1 src/sys/netipsec/ipsec_mbuf.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.