[src/trunk]: src/sys/netipsec Fix use-after-free. There is a path where the m...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6159e62377d3
branches:  trunk
changeset: 829006:6159e62377d3
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sun Jan 14 16:36:04 2018 +0000

description:
Fix use-after-free. There is a path where the mbuf gets pulled up without
a proper mtod afterwards:

218     ipo = mtod(m, struct ip *);
281     m = m_pullup(m, hlen);
232     ipo->ip_src.s_addr

Found by Mootja.

Meanwhile it seems to me that 'ipo' should be set to NULL if the inner
packet is IPv6, but I'll revisit that later.

diffstat:

 sys/netipsec/xform_ipip.c |  7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diffs (28 lines):

diff -r c6859a786422 -r 6159e62377d3 sys/netipsec/xform_ipip.c
--- a/sys/netipsec/xform_ipip.c Sun Jan 14 16:18:11 2018 +0000
+++ b/sys/netipsec/xform_ipip.c Sun Jan 14 16:36:04 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ipip.c,v 1.55 2017/11/15 10:42:41 knakahara Exp $        */
+/*     $NetBSD: xform_ipip.c,v 1.56 2018/01/14 16:36:04 maxv Exp $     */
 /*     $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
 /*     $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.55 2017/11/15 10:42:41 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.56 2018/01/14 16:36:04 maxv Exp $");
 
 /*
  * IP-inside-IP processing
@@ -301,7 +301,8 @@
 #endif /* INET */
 #ifdef INET6
        case 6:
-                ip6 = (struct ip6_hdr *) ipo;
+               ipo = mtod(m, struct ip *);
+               ip6 = (struct ip6_hdr *)ipo;
                itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
                ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos);
                ip6->ip6_flow &= ~htonl(0xff << 20);