Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [netbsd-8] src/sys/netipsec



Module Name:    src
Committed By:   martin
Date:           Sat Mar 31 10:46:20 UTC 2018

Modified Files:
        src/sys/netipsec [netbsd-8]: ipsec_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #677):

        sys/netipsec/ipsec_input.c: revision 1.55

Fix the iteration: IPPROTO_FRAGMENT options are special, in the sense
that they don't have a 'length' field. It is therefore incorrect to
read ip6e.ip6e_len, it contains garbage.

I'm not sure whether this an exploitable vulnerability. Because of this
bug you could theoretically craft 'protoff', which means that you can
have the kernel patch the nxt value at the wrong place once the packet
is decrypted. Perhaps it can be used in some unusual MITM - a router that
happens to be between two IPsec hosts adds a frag6 option in the outer
IPv6 header to trigger the bug in the receiver -, but I couldn't come up
with anything worrying.


To generate a diff of this commit:
cvs rdiff -u -r1.43.2.4 -r1.43.2.5 src/sys/netipsec/ipsec_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index