[src/netbsd-8]: src/sys/netipsec Pull up following revision(s) (requested by ...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b0f4339079c5
branches:  netbsd-8
changeset: 851315:b0f4339079c5
user:      martin <martin%NetBSD.org@localhost>
date:      Fri Jan 26 19:51:19 2018 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #512):
        sys/netipsec/xform_ah.c: revision 1.75
        sys/netipsec/xform_ah.c: revision 1.76
Revert a part of rev1.49 (six months ago). The pointer given to memcpy
was correct.
Discussed with Christos and Ryota.
Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely
crash the kernel with a single packet.
In this loop we need to increment 'ad' by two, because the length field
of the option header does not count the size of the option header itself.
If the length is zero, then 'count' is incremented by zero, and there's
an infinite loop. Beyond that, this code was written with the assumption
that since the IPv6 packet already went through the generic IPv6 option
parser, several fields are guaranteed to be valid; but this assumption
does not hold because of the missing '+2', and there's as a result a
triggerable buffer overflow (write zeros after the end of the mbuf,
potentially to the next mbuf in memory since it's a pool).
Add the missing '+2', this place will be reinforced in separate commits.

diffstat:

 sys/netipsec/xform_ah.c |  10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diffs (42 lines):

diff -r 7f1b35014de9 -r b0f4339079c5 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c   Fri Jan 26 15:41:12 2018 +0000
+++ b/sys/netipsec/xform_ah.c   Fri Jan 26 19:51:19 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ah.c,v 1.54.2.1 2017/10/21 19:43:54 snj Exp $    */
+/*     $NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $ */
 /*     $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $   */
 /*     $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.1 2017/10/21 19:43:54 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54.2.2 2018/01/26 19:51:19 martin Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -419,7 +419,7 @@
 
                                /* Zeroize all other options. */
                                count = ptr[off + 1];
-                               memcpy(ptr, ipseczeroes, count);
+                               memcpy(ptr + off, ipseczeroes, count);
                                off += count;
                                break;
                        }
@@ -523,12 +523,12 @@
                                                return EINVAL;
                                        }
 
-                                       ad = ptr[count + 1];
+                                       ad = ptr[count + 1] + 2;
 
                                        /* If mutable option, zeroize. */
                                        if (ptr[count] & IP6OPT_MUTABLE)
                                                memcpy(ptr + count, ipseczeroes,
-                                                   ptr[count + 1]);
+                                                   ad);
 
                                        count += ad;