git: 0dab21248bc9 - main - pfkey: Fix some checks in kdebug_sadb()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Dec 2024 18:35:20 UTC
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=0dab21248bc9fab09e92b0c037303c921ebb1b8d commit 0dab21248bc9fab09e92b0c037303c921ebb1b8d Author: Tobias Heider <me@tobhe.me> AuthorDate: 2024-12-04 01:13:41 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-12-04 16:22:50 +0000 pfkey: Fix some checks in kdebug_sadb() Besides not doing any sufficient check that the length of a parsed message is not bigger than the actual allocated buffer, kdebug_sadb() incorrectly compares ext->sadb_ext_len, the extension payload size in 8 byte chunks, with tlen, which is the full message payload size in bytes. This should compare PFKEY_UNUNIT64(ext->sadb_ext_len) with tlen instead. PR: 277456 MFC after: 2 weeks --- sys/netipsec/key_debug.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c index ead5fe80115b..69310baeb4c5 100644 --- a/sys/netipsec/key_debug.c +++ b/sys/netipsec/key_debug.c @@ -191,11 +191,12 @@ kdebug_sadb(struct sadb_msg *base) ext->sadb_ext_len, ext->sadb_ext_type, kdebug_sadb_exttype(ext->sadb_ext_type)); - if (ext->sadb_ext_len == 0) { + extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); + if (extlen == 0) { printf("%s: invalid ext_len=0 was passed.\n", __func__); return; } - if (ext->sadb_ext_len > tlen) { + if (extlen > tlen) { printf("%s: ext_len too big (%u > %u).\n", __func__, ext->sadb_ext_len, tlen); return; @@ -262,7 +263,6 @@ kdebug_sadb(struct sadb_msg *base) return; } - extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); tlen -= extlen; ext = (struct sadb_ext *)((caddr_t)ext + extlen); }