kern/122565: Possible memory overwrite for IPv6 IPsec

[susan.lan at zyxel.com.tw]

>Number:         122565
>Category:       kern
>Synopsis:       Possible memory overwrite for IPv6 IPsec
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 08 11:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Yi-Wen Lan
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
	None
>Description:
	struct secashead defined in keydb.h line 89:

/* Security Association Data Base */
struct secashead {
   LIST_ENTRY(secashead) chain;

   struct secasindex saidx;

   struct secident *idents;    /* source identity */
   struct secident *identd;    /* destination identity */
                   /* XXX I don't know how to use them. */

   u_int8_t state;            /* MATURE or DEAD. */
   LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
                   /* SA chain */
                   /* The first of this list is newer SA */

   struct route sa_route;        /* route cache */
};

The last field "sa_route" is "struct route", whose space is not enough for IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field could possibly be assigned with an IPv6 address.

>How-To-Repeat:
	None
>Fix:
	To enlarge the field as struct route_in6, which could accommodate both IPv4 and IPv6 address.


>Release-Note:
>Audit-Trail:
>Unformatted: