CVS commit: [netbsd-7-1] src/sys/netipsec

["Martin Husemann" <martin%netbsd.org@localhost>]

Module Name:    src
Committed By:   martin
Date:           Thu Feb 15 17:51:38 UTC 2018

Modified Files:
        src/sys/netipsec [netbsd-7-1]: xform_ah.c xform_esp.c xform_ipip.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1569):
        sys/netipsec/xform_ah.c: revision 1.77, 1.81 (via patch)
        sys/netipsec/xform_esp.c: revision 1.73 (via patch)
        sys/netipsec/xform_ipip.c: revision 1.56, 1.57 (via patch)

Fix use-after-free. There is a path where the mbuf gets pulled up without
a proper mtod afterwards:

218     ipo = mtod(m, struct ip *);
281     m = m_pullup(m, hlen);
232     ipo->ip_src.s_addr

Found by Mootja.

Meanwhile it seems to me that 'ipo' should be set to NULL if the inner
packet is IPv6, but I'll revisit that later.

Reinforce and clarify.

Add missing NULL check. Normally that's not triggerable remotely, since we
are guaranteed that 8 bytes are valid at mbuf+skip.

As I said in my last commit in this file, ipo should be set to NULL;
otherwise the 'local address spoofing' check below is always wrong on
IPv6.

Make sure the Authentication Header fits the mbuf chain, otherwise panic.


To generate a diff of this commit:
cvs rdiff -u -r1.42.12.2 -r1.42.12.3 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.45 -r1.45.12.1 src/sys/netipsec/xform_esp.c
cvs rdiff -u -r1.31.10.1 -r1.31.10.2 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.