From owner-svn-src-stable@freebsd.org  Wed Aug 16 12:01:23 2017
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9712DD7636;
 Wed, 16 Aug 2017 12:01:23 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 79D2D8006E;
 Wed, 16 Aug 2017 12:01:23 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v7GC1M2d013185;
 Wed, 16 Aug 2017 12:01:22 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v7GC1MfD013184;
 Wed, 16 Aug 2017 12:01:22 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201708161201.v7GC1MfD013184@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Wed, 16 Aug 2017 12:01:22 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r322576 - stable/11/sys/netipsec
X-SVN-Group: stable-11
X-SVN-Commit-Author: ae
X-SVN-Commit-Paths: stable/11/sys/netipsec
X-SVN-Commit-Revision: 322576
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 12:01:23 -0000

Author: ae
Date: Wed Aug 16 12:01:22 2017
New Revision: 322576
URL: https://svnweb.freebsd.org/changeset/base/322576

Log:
  MFC r322328:
    Make user supplied data checks a bit stricter.
  
    key_msg2sp() is used for parsing data from setsockopt(IP[V6]_IPSEC_POLICY)
    call. This socket option is usually used to configure IPsec bypass for
    socket. Only privileged user can set this socket option.
    The message syntax is described here
    	http://www.kame.net/newsletter/20021210/
  
    and our libipsec is usually used to create the correct request.
    Add additional checks:
    * that sadb_x_ipsecrequest_len is not out of bounds of user supplied buffer
    * that src/dst's sa_len is the same
    * that 2*sa_len is not out of bounds of user supplied buffer
    * that 2*sa_len fits into bounds of sadb_x_ipsecrequest
  
    Reported by:	Ilja van Sprundel

Modified:
  stable/11/sys/netipsec/key.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netipsec/key.c
==============================================================================
--- stable/11/sys/netipsec/key.c	Wed Aug 16 10:59:37 2017	(r322575)
+++ stable/11/sys/netipsec/key.c	Wed Aug 16 12:01:22 2017	(r322576)
@@ -1403,7 +1403,8 @@ key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int
 
 		while (tlen > 0) {
 			/* length check */
-			if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
+			if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr) ||
+			    xisr->sadb_x_ipsecrequest_len > tlen) {
 				ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest "
 					"length.\n", __func__));
 				key_freesp(&newsp);
@@ -1517,10 +1518,12 @@ key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int
 			if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
 				struct sockaddr *paddr;
 
+				len = tlen - sizeof(*xisr);
 				paddr = (struct sockaddr *)(xisr + 1);
 				/* validity check */
-				if (paddr->sa_len
-				    > sizeof(isr->saidx.src)) {
+				if (len < sizeof(struct sockaddr) ||
+				    len < 2 * paddr->sa_len ||
+				    paddr->sa_len > sizeof(isr->saidx.src)) {
 					ipseclog((LOG_DEBUG, "%s: invalid "
 						"request address length.\n",
 						__func__));
@@ -1528,13 +1531,26 @@ key_msg2sp(struct sadb_x_policy *xpl0, size_t len, int
 					*error = EINVAL;
 					return NULL;
 				}
+				/*
+				 * Request length should be enough to keep
+				 * source and destination addresses.
+				 */
+				if (xisr->sadb_x_ipsecrequest_len <
+				    sizeof(*xisr) + 2 * paddr->sa_len) {
+					ipseclog((LOG_DEBUG, "%s: invalid "
+					    "ipsecrequest length.\n",
+					    __func__));
+					key_freesp(&newsp);
+					*error = EINVAL;
+					return (NULL);
+				}
 				bcopy(paddr, &isr->saidx.src, paddr->sa_len);
 				paddr = (struct sockaddr *)((caddr_t)paddr +
 				    paddr->sa_len);
 
 				/* validity check */
-				if (paddr->sa_len
-				    > sizeof(isr->saidx.dst)) {
+				if (paddr->sa_len !=
+				    isr->saidx.src.sa.sa_len) {
 					ipseclog((LOG_DEBUG, "%s: invalid "
 						"request address length.\n",
 						__func__));