git: 11c7eb30cc9b - stable/13 - pfkey: Fix some checks in kdebug_sadb()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 18 Dec 2024 14:16:08 UTC
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=11c7eb30cc9b38d199c4686ad00071a678a1fc58 commit 11c7eb30cc9b38d199c4686ad00071a678a1fc58 Author: Tobias Heider <me@tobhe.me> AuthorDate: 2024-12-04 01:13:41 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-12-18 14:15:46 +0000 pfkey: Fix some checks in kdebug_sadb() Besides not doing any sufficient check that the length of a parsed message is not bigger than the actual allocated buffer, kdebug_sadb() incorrectly compares ext->sadb_ext_len, the extension payload size in 8 byte chunks, with tlen, which is the full message payload size in bytes. This should compare PFKEY_UNUNIT64(ext->sadb_ext_len) with tlen instead. PR: 277456 MFC after: 2 weeks (cherry picked from commit 0dab21248bc9fab09e92b0c037303c921ebb1b8d) --- sys/netipsec/key_debug.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c index ab4def455ac9..ef511f25411c 100644 --- a/sys/netipsec/key_debug.c +++ b/sys/netipsec/key_debug.c @@ -189,11 +189,12 @@ kdebug_sadb(struct sadb_msg *base) ext->sadb_ext_len, ext->sadb_ext_type, kdebug_sadb_exttype(ext->sadb_ext_type)); - if (ext->sadb_ext_len == 0) { + extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); + if (extlen == 0) { printf("%s: invalid ext_len=0 was passed.\n", __func__); return; } - if (ext->sadb_ext_len > tlen) { + if (extlen > tlen) { printf("%s: ext_len too big (%u > %u).\n", __func__, ext->sadb_ext_len, tlen); return; @@ -257,7 +258,6 @@ kdebug_sadb(struct sadb_msg *base) return; } - extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); tlen -= extlen; ext = (struct sadb_ext *)((caddr_t)ext + extlen); }