Date: Wed, 7 Mar 2018 12:35:00 +0100 From: Christoph Moench-Tegeder <cmt@burggraben.net> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec Message-ID: <20180307113500.GA50696@elch.exwg.net> In-Reply-To: <20180307070938.D70A94469@freefall.freebsd.org> References: <20180307070938.D70A94469@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
the committed patch for FreeBSD 10.4 and 10.3 does not compile:
/usr/src/sys/netipsec/xform_ah.c:622:43: error: use of undeclared identifier
'buf'
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
^
/usr/src/sys/netipsec/ipsec.h:323:51: note: expanded from macro 'DPRINTF'
#define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0)
^
/usr/src/sys/netipsec/xform_ah.c:625:3: error: use of undeclared identifier
'error'
error =3D EACCES;
^
/usr/src/sys/netipsec/xform_ah.c:626:8: error: use of undeclared label 'bad'
goto bad;
^
3 errors generated.
*** Error code 1
Looking at the code, the compiler is right - things have shifted here
in between FreeBSD 10 and 11, and what's working in 11 is not good for 10...
I guess we need this additional patch:
--- sys/netipsec/xform_ah.c.orig 2018-03-07 12:27:58.645874000 +0100
+++ sys/netipsec/xform_ah.c 2018-03-07 12:28:47.584073000 +0100
@@ -619,11 +619,10 @@
DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
" for packet in SA %s/%08lx\n", __func__,
m->m_pkthdr.len, (u_long) (skip + authsize + rplen),
- ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+ ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_badauthl);
- error =3D EACCES;
- goto bad;
+ return EACCES;
}
AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
=20
But you'd better re-check, I don't know the code here - I'm just making
stuff compile :)
Further, neither this (SA-18:01) nor SA-18:02's nor the Errata Note's
(EN-18:01, EN-18:02) do show up in the given location:
https://www.freebsd.org/security/patches/SA-18%3A01/ (and the other
directories) only have the GPG signatures, but not the patches itself.
Regards,
Christoph
--=20
Spare Space
--ew6BAiZeqk4r7MaW
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEoJWHwgBcrz+o94uKXDrR55w48RIFAlqfzl8ACgkQXDrR55w4
8RLQxAf/UI0BQXSvNHQQdTPgQVOQf674QoUMnzXFLS08H9yTD7gjRgAHO8Nrozvk
EJuKBT5FtCv+T27C2wm+amzm55LKBGAaWEMoPU4ZLnRIkaMvOkohRtIHsF/0xiIq
N+Y8FnnPor34b+5wjx0wNqCQC/mwFDcTQiwwC8TdUeIYBYIFBj8ikxwMZTePg0LH
bBqFDI7ueDJLmhzJ6qm7Xxz5TySBA0Orno9nmHcFf1S02Ene+fAAQxP+dsf4rcE2
ZNNbZxj3BN+qt2TSlyemXn1Nkk9TEOrpDhGWsXkYAjUnsKvaGJF2/zym5Po43yDJ
J/RMBHcMjA1X5EbRMKW1oXh28Fn39w==
=bat7
-----END PGP SIGNATURE-----
--ew6BAiZeqk4r7MaW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180307113500.GA50696>