[src/trunk]: src/sys/netipsec Fix the iteration: IPPROTO_FRAGMENT options are...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9a77a6f004c2
branches:  trunk
changeset: 829282:9a77a6f004c2
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Jan 24 14:28:13 2018 +0000

description:
Fix the iteration: IPPROTO_FRAGMENT options are special, in the sense
that they don't have a 'length' field. It is therefore incorrect to
read ip6e.ip6e_len, it contains garbage.

I'm not sure whether this an exploitable vulnerability. Because of this
bug you could theoretically craft 'protoff', which means that you can
have the kernel patch the nxt value at the wrong place once the packet
is decrypted. Perhaps it can be used in some unusual MITM - a router that
happens to be between two IPsec hosts adds a frag6 option in the outer
IPv6 header to trigger the bug in the receiver -, but I couldn't come up
with anything worrying.

diffstat:

 sys/netipsec/ipsec_input.c |  6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diffs (27 lines):

diff -r c655bfb2b8d5 -r 9a77a6f004c2 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c        Wed Jan 24 14:01:40 2018 +0000
+++ b/sys/netipsec/ipsec_input.c        Wed Jan 24 14:28:13 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_input.c,v 1.54 2018/01/24 14:01:40 maxv Exp $    */
+/*     $NetBSD: ipsec_input.c,v 1.55 2018/01/24 14:28:13 maxv Exp $    */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
 /*     $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $        */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.54 2018/01/24 14:01:40 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.55 2018/01/24 14:28:13 maxv Exp $");
 
 /*
  * IPsec input processing.
@@ -507,6 +507,8 @@
 
                        if (nxt == IPPROTO_AH)
                                l = (ip6e.ip6e_len + 2) << 2;
+                       else if (nxt == IPPROTO_FRAGMENT)
+                               l = sizeof(struct ip6_frag);
                        else
                                l = (ip6e.ip6e_len + 1) << 3;
                        KASSERT(l > 0);