[src/netbsd-8]: src/sys/netipsec Pull up following revision(s) (requested by ...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/906494fe5a17
branches:  netbsd-8
changeset: 434636:906494fe5a17
user:      martin <martin%NetBSD.org@localhost>
date:      Thu Feb 15 07:58:04 2018 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #549):
        sys/netipsec/xform_ah.c: revision 1.80-1.81 via patch

Fix use-after-free, 'ah' may not be valid after m_makewritable and
ah_massage_headers.

Make sure the Authentication Header fits the mbuf chain, otherwise panic.

diffstat:

 sys/netipsec/xform_ah.c |  21 ++++++++++++++++++---
 1 files changed, 18 insertions(+), 3 deletions(-)

diffs (63 lines):

diff -r f26eb424b380 -r 906494fe5a17 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c   Thu Feb 15 07:52:17 2018 +0000
+++ b/sys/netipsec/xform_ah.c   Thu Feb 15 07:58:04 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $ */
+/*     $NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $ */
 /*     $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $   */
 /*     $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.3 2018/02/15 07:58:04 martin Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -628,6 +628,7 @@
        int hl, rplen, authsize, error, stat = AH_STAT_HDROPS;
        struct cryptodesc *crda;
        struct cryptop *crp = NULL;
+       uint8_t nxt;
 
        IPSEC_SPLASSERT_SOFTNET(__func__);
 
@@ -647,6 +648,8 @@
                goto bad;
        }
 
+       nxt = ah->ah_nxt;
+
        /* Check replay window, if applicable. */
        if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
                char buf[IPSEC_LOGSASTRLEN];
@@ -672,6 +675,18 @@
                error = EACCES;
                goto bad;
        }
+       if (skip + authsize + rplen > m->m_pkthdr.len) {
+               char buf[IPSEC_ADDRSTRLEN];
+               DPRINTF(("%s: bad mbuf length %u (expecting >= %lu)"
+                       " for packet in SA %s/%08lx\n", __func__,
+                       m->m_pkthdr.len, (u_long)(skip + authsize + rplen),
+                       ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+                       (u_long) ntohl(sav->spi)));
+               stat = AH_STAT_BADAUTHL;
+               error = EACCES;
+               goto bad;
+       }
+
        AH_STATADD(AH_STAT_IBYTES, m->m_pkthdr.len - skip - hl);
 
        /* Get crypto descriptors. */
@@ -761,7 +776,7 @@
        tc->tc_spi = sav->spi;
        tc->tc_dst = sav->sah->saidx.dst;
        tc->tc_proto = sav->sah->saidx.proto;
-       tc->tc_nxt = ah->ah_nxt;
+       tc->tc_nxt = nxt;
        tc->tc_protoff = protoff;
        tc->tc_skip = skip;
        tc->tc_sav = sav;