svn commit: r220483 - stable/8/sys/netipsec
Bjoern A. Zeeb
bz at FreeBSD.org
Sat Apr 9 10:53:36 UTC 2011
Author: bz
Date: Sat Apr 9 10:53:36 2011
New Revision: 220483
URL: http://svn.freebsd.org/changeset/base/220483
Log:
MFC r220247:
Do not allow directly recursive RFC3173 IPComp payload.
Security: CVE-2011-1547
Modified:
stable/8/sys/netipsec/xform_ipcomp.c
Directory Properties:
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
Modified: stable/8/sys/netipsec/xform_ipcomp.c
==============================================================================
--- stable/8/sys/netipsec/xform_ipcomp.c Sat Apr 9 10:45:22 2011 (r220482)
+++ stable/8/sys/netipsec/xform_ipcomp.c Sat Apr 9 10:53:36 2011 (r220483)
@@ -141,8 +141,29 @@ ipcomp_input(struct mbuf *m, struct seca
struct tdb_crypto *tc;
struct cryptodesc *crdc;
struct cryptop *crp;
+ struct ipcomp *ipcomp;
+ caddr_t addr;
int hlen = IPCOMP_HLENGTH;
+ /*
+ * Check that the next header of the IPComp is not IPComp again, before
+ * doing any real work. Given it is not possible to do double
+ * compression it means someone is playing tricks on us.
+ */
+ if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
+ V_ipcompstat.ipcomps_hdrops++; /*XXX*/
+ DPRINTF(("%s: m_pullup failed\n", __func__));
+ return (ENOBUFS);
+ }
+ addr = (caddr_t) mtod(m, struct ip *) + skip;
+ ipcomp = (struct ipcomp *)addr;
+ if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
+ m_freem(m);
+ V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */
+ DPRINTF(("%s: recursive compression detected\n", __func__));
+ return (EINVAL);
+ }
+
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {
More information about the svn-src-stable
mailing list