git: 0dab21248bc9 - main - pfkey: Fix some checks in kdebug_sadb()

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 04 Dec 2024 18:35:20 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=0dab21248bc9fab09e92b0c037303c921ebb1b8d

commit 0dab21248bc9fab09e92b0c037303c921ebb1b8d
Author:     Tobias Heider <me@tobhe.me>
AuthorDate: 2024-12-04 01:13:41 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-12-04 16:22:50 +0000

    pfkey: Fix some checks in kdebug_sadb()
    
    Besides not doing any sufficient check that the length of a parsed
    message is not bigger than the actual allocated buffer, kdebug_sadb()
    incorrectly compares ext->sadb_ext_len, the extension payload size in 8
    byte chunks, with tlen, which is the full message payload size in bytes.
    
    This should compare PFKEY_UNUNIT64(ext->sadb_ext_len) with tlen instead.
    
    PR:             277456
    MFC after:      2 weeks
---
 sys/netipsec/key_debug.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c
index ead5fe80115b..69310baeb4c5 100644
--- a/sys/netipsec/key_debug.c
+++ b/sys/netipsec/key_debug.c
@@ -191,11 +191,12 @@ kdebug_sadb(struct sadb_msg *base)
 		    ext->sadb_ext_len, ext->sadb_ext_type,
 		    kdebug_sadb_exttype(ext->sadb_ext_type));
 
-		if (ext->sadb_ext_len == 0) {
+		extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
+		if (extlen == 0) {
 			printf("%s: invalid ext_len=0 was passed.\n", __func__);
 			return;
 		}
-		if (ext->sadb_ext_len > tlen) {
+		if (extlen > tlen) {
 			printf("%s: ext_len too big (%u > %u).\n",
 				__func__, ext->sadb_ext_len, tlen);
 			return;
@@ -262,7 +263,6 @@ kdebug_sadb(struct sadb_msg *base)
 			return;
 		}
 
-		extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
 		tlen -= extlen;
 		ext = (struct sadb_ext *)((caddr_t)ext + extlen);
 	}