PR/53189 CVS commit: [netbsd-6-0] src/sys/netipsec

["SAITOH Masanobu" <msaitoh%netbsd.org@localhost>]

The following reply was made to PR kern/53189; it has been noted by GNATS.

From: "SAITOH Masanobu" <msaitoh%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/53189 CVS commit: [netbsd-6-0] src/sys/netipsec
Date: Wed, 18 Apr 2018 07:17:48 +0000

 Module Name:	src
 Committed By:	msaitoh
 Date:		Wed Apr 18 07:17:48 UTC 2018
 
 Modified Files:
 	src/sys/netipsec [netbsd-6-0]: ipsec_mbuf.c
 
 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #1545):
 	sys/netipsec/ipsec_mbuf.c: revision 1.23
 	sys/netipsec/ipsec_mbuf.c: revision 1.24
 Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
 should, but it looks like there are several places that can put M_PKTHDR
 on secondary mbufs (PR/53189), so drop this assumption right now to
 prevent further bugs.
 The check is replaced by (m1 != m), which is equivalent to the previous
 code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
 m_adj().
 Fix a pretty bad mistake, that has always been there.
          m_adj(m1, -(m1->m_len - roff));
          if (m1 != m)
              m->m_pkthdr.len -= (m1->m_len - roff);
 This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
 when manually adjusting m->m_pkthdr.len.
 Because of that, it is possible to exploit the attack I described in
 uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
 reliably.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.12 -r1.12.16.1 src/sys/netipsec/ipsec_mbuf.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.