NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

PR/53189 CVS commit: [netbsd-7-0] src/sys/netipsec

The following reply was made to PR kern/53189; it has been noted by GNATS.

From: "Martin Husemann" <>
Subject: PR/53189 CVS commit: [netbsd-7-0] src/sys/netipsec
Date: Tue, 17 Apr 2018 15:38:57 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Tue Apr 17 15:38:57 UTC 2018
 Modified Files:
 	src/sys/netipsec [netbsd-7-0]: ipsec_mbuf.c
 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #1599):
 	sys/netipsec/ipsec_mbuf.c: revision 1.23,1.24 (via patch)
 Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
 should, but it looks like there are several places that can put M_PKTHDR
 on secondary mbufs (PR/53189), so drop this assumption right now to
 prevent further bugs.
 The check is replaced by (m1 != m), which is equivalent to the previous
 code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
 Fix a pretty bad mistake, that has always been there.
 		m_adj(m1, -(m1->m_len - roff));
 		if (m1 != m)
 			m->m_pkthdr.len -= (m1->m_len - roff);
 This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
 when manually adjusting m->m_pkthdr.len.
 Because of that, it is possible to exploit the attack I described in
 uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
 To generate a diff of this commit:
 cvs rdiff -u -r1.12 -r1.12.34.1 src/sys/netipsec/ipsec_mbuf.c
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Home | Main Index | Thread Index | Old Index