Date: Tue, 08 Apr 2008 14:50:31 +0800 From: blue <susan.lan@zyxel.com.tw> To: freebsd-net@freebsd.org Subject: [ipsec] bug report: possible memory overwrite for IPv6 IPsec Message-ID: <47FB15B7.8080202@zyxel.com.tw>
next in thread | raw e-mail | index | archive | help
Dear all:
struct secashead defined in keydb.h line 89:
/* Security Association Data Base */
struct secashead {
LIST_ENTRY(secashead) chain;
struct secasindex saidx;
struct secident *idents; /* source identity */
struct secident *identd; /* destination identity */
/* XXX I don't know how to use them. */
u_int8_t state; /* MATURE or DEAD. */
LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
/* SA chain */
/* The first of this list is newer SA */
struct route sa_route; /* route cache */
};
The last field "sa_route" is "struct route", whose space is not enough
for IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c,
the field could possibly be assigned with an IPv6 address.
My suggestion is to enlarge the field as struct route_in6, which could
accommodate both IPv4 and IPv6 address.
BR,
blue
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47FB15B7.8080202>