From owner-svn-src-all@FreeBSD.ORG Sat Apr 9 11:03:04 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F21A106564A; Sat, 9 Apr 2011 11:03:04 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 8159E8FC0A; Sat, 9 Apr 2011 11:03:04 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p39B346Y011760; Sat, 9 Apr 2011 11:03:04 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p39B34tx011757; Sat, 9 Apr 2011 11:03:04 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201104091103.p39B34tx011757@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Sat, 9 Apr 2011 11:03:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r220485 - in stable/6/sys: netinet6 netipsec X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Apr 2011 11:03:04 -0000 Author: bz Date: Sat Apr 9 11:03:04 2011 New Revision: 220485 URL: http://svn.freebsd.org/changeset/base/220485 Log: MFC r220247: Do not allow directly recursive RFC3173 IPComp payload. While IPv6 does count iterations over next headers in ip6_input, we still disallow directly recursive IPComp payload in the KAME code. Security: CVE-2011-1547 Modified: stable/6/sys/netinet6/ipcomp_input.c stable/6/sys/netipsec/xform_ipcomp.c Directory Properties: stable/6/sys/ (props changed) stable/6/sys/contrib/pf/ (props changed) stable/6/sys/dev/cxgb/ (props changed) Modified: stable/6/sys/netinet6/ipcomp_input.c ============================================================================== --- stable/6/sys/netinet6/ipcomp_input.c Sat Apr 9 10:58:38 2011 (r220484) +++ stable/6/sys/netinet6/ipcomp_input.c Sat Apr 9 11:03:04 2011 (r220485) @@ -117,8 +117,21 @@ ipcomp4_input(m, off) goto fail; } ipcomp = mtod(md, struct ipcomp *); - ip = mtod(m, struct ip *); nxt = ipcomp->comp_nxt; + + /* + * Check that the next header of the IPComp is not IPComp again, before + * doing any real work. Given it is not possible to do double + * compression it means someone is playing tricks on us. + */ + if (nxt == IPPROTO_IPCOMP) { + ipseclog((LOG_ERR, "IPv4 IPComp input: " + "recursive compression detected.")); + ipsecstat.in_inval++; + goto fail; + } + + ip = mtod(m, struct ip *); #ifdef _IP_VHL hlen = IP_VHL_HL(ip->ip_vhl) << 2; #else @@ -269,6 +282,18 @@ ipcomp6_input(mp, offp, proto) ip6 = mtod(m, struct ip6_hdr *); nxt = ipcomp->comp_nxt; + /* + * Check that the next header of the IPComp is not IPComp again, before + * doing any real work. Given it is not possible to do double + * compression it means someone is playing tricks on us. + */ + if (nxt == IPPROTO_IPCOMP) { + ipseclog((LOG_ERR, "IPv6 IPComp input: " + "recursive compression detected.")); + ipsecstat.in_inval++; + goto fail; + } + cpi = ntohs(ipcomp->comp_cpi); if (cpi >= IPCOMP_CPI_NEGOTIATE_MIN) { Modified: stable/6/sys/netipsec/xform_ipcomp.c ============================================================================== --- stable/6/sys/netipsec/xform_ipcomp.c Sat Apr 9 10:58:38 2011 (r220484) +++ stable/6/sys/netipsec/xform_ipcomp.c Sat Apr 9 11:03:04 2011 (r220485) @@ -139,10 +139,31 @@ ipcomp_input(struct mbuf *m, struct seca struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; + struct ipcomp *ipcomp; + caddr_t addr; int hlen = IPCOMP_HLENGTH; IPSEC_SPLASSERT_SOFTNET(__func__); + /* + * Check that the next header of the IPComp is not IPComp again, before + * doing any real work. Given it is not possible to do double + * compression it means someone is playing tricks on us. + */ + if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) { + ipcompstat.ipcomps_hdrops++; /*XXX*/ + DPRINTF(("%s: m_pullup failed\n", __func__)); + return (ENOBUFS); + } + addr = (caddr_t) mtod(m, struct ip *) + skip; + ipcomp = (struct ipcomp *)addr; + if (ipcomp->comp_nxt == IPPROTO_IPCOMP) { + m_freem(m); + ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */ + DPRINTF(("%s: recursive compression detected\n", __func__)); + return (EINVAL); + } + /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) {