From owner-trustedbsd-discuss@FreeBSD.ORG  Mon Mar 27 10:55:06 2006
Return-Path: <owner-trustedbsd-discuss@FreeBSD.ORG>
X-Original-To: trustedbsd-discuss@FreeBSD.org
Delivered-To: trustedbsd-discuss@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9141A16A422
	for <trustedbsd-discuss@FreeBSD.org>;
	Mon, 27 Mar 2006 10:55:06 +0000 (UTC) (envelope-from zhouyi04@ios.cn)
Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55])
	by mx1.FreeBSD.org (Postfix) with SMTP id E83D743D58
	for <trustedbsd-discuss@FreeBSD.org>;
	Mon, 27 Mar 2006 10:54:39 +0000 (GMT) (envelope-from zhouyi04@ios.cn)
Received: (qmail 25942 invoked by uid 502); 27 Mar 2006 10:30:03 -0000
Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with
	qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63.
	Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. 
	Processed in 0.21659 secs); 27 Mar 2006 10:30:03 -0000
Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225)
	by abyss.iscas.cn with SMTP; 27 Mar 2006 10:30:02 -0000
Date: Mon, 27 Mar 2006 18:40:13 +0800
From: zhouyi zhou <zhouyi04@ios.cn>
To: trustedbsd-discuss@FreeBSD.org
Message-Id: <20060327184013.6d60173c.zhouyi04@ios.cn>
Organization: Institute of Software
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn
X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS,
	USER_IN_WHITELIST autolearn=no version=2.63
X-Spam-Level: 
Cc: freebsd-bugs@freebsd.org
Subject: settling serious conflicts between MAC and IPSEC
X-BeenThere: trustedbsd-discuss@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD General Discussion List <trustedbsd-discuss.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss>, 
	<mailto:trustedbsd-discuss-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-discuss>
List-Post: <mailto:trustedbsd-discuss@FreeBSD.org>
List-Help: <mailto:trustedbsd-discuss-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss>, 
	<mailto:trustedbsd-discuss-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2006 10:55:06 -0000

High everyone, there exists a serious bug in function ipsec_copypkt(m) 
of netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0

3469                                         MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3470                                         if (mnew == NULL)
3471                                                 goto fail;
3472                                         mnew->m_pkthdr = n->m_pkthdr;
3473 #if 0
3474                                         /* XXX: convert to m_tag or delete? */
3475                                         if (n->m_pkthdr.aux) {
3476                                                 mnew->m_pkthdr.aux =
3477                                                     m_copym(n->m_pkthdr.aux,
3478                                                     0, M_COPYALL, M_DONTWAIT);
3479                                         }
3480 #endif
3481                                         M_MOVE_PKTHDR(mnew, n);

On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and 
on line 3481, in function m_move_pkthdr, mnew's tag list will be delete (and the n's tag 
of cause). This will cause system to crash.

After commenting out line 3472, everything is OK.

Sincerely yours
Zhouyi Zhou
Institute of Software
Chinese Academy of Sciences