Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet6 mitigation for CVE-2011-1547
details: https://anonhg.NetBSD.org/src/rev/b934e866d913
branches: trunk
changeset: 763725:b934e866d913
user: spz <spz%NetBSD.org@localhost>
date: Fri Apr 01 08:25:02 2011 +0000
description:
mitigation for CVE-2011-1547
this should really be solved by counting nested headers (like in the
inet6 case) instead
diffstat:
sys/netinet6/ipcomp_input.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diffs (32 lines):
diff -r 5e225602a34f -r b934e866d913 sys/netinet6/ipcomp_input.c
--- a/sys/netinet6/ipcomp_input.c Fri Apr 01 06:51:54 2011 +0000
+++ b/sys/netinet6/ipcomp_input.c Fri Apr 01 08:25:02 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipcomp_input.c,v 1.36 2008/05/05 13:41:30 ad Exp $ */
+/* $NetBSD: ipcomp_input.c,v 1.37 2011/04/01 08:25:02 spz Exp $ */
/* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */
/*
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.36 2008/05/05 13:41:30 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.37 2011/04/01 08:25:02 spz Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@@ -148,6 +148,13 @@
ipcomp = mtod(md, struct ipcomp *);
ip = mtod(m, struct ip *);
nxt = ipcomp->comp_nxt;
+ if (nxt == IPPROTO_IPCOMP || nxt == IPPROTO_AH || nxt == IPPROTO_ESP) {
+ /* nested ipcomp - possible attack, not likely useful */
+ ipseclog((LOG_DEBUG, "IPv4 IPComp input: nested ipcomp "
+ "(bailing)\n"));
+ IPSEC_STATINC(IPSEC_STAT_IN_INVAL);
+ goto fail;
+ }
hlen = ip->ip_hl << 2;
cpi = ntohs(ipcomp->comp_cpi);
Home |
Main Index |
Thread Index |
Old Index