From owner-freebsd-net@FreeBSD.ORG  Tue Apr  8 06:50:56 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C2E9B1065671
	for <freebsd-net@freebsd.org>; Tue,  8 Apr 2008 06:50:56 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66])
	by mx1.freebsd.org (Postfix) with ESMTP id 3A3F58FC19
	for <freebsd-net@freebsd.org>; Tue,  8 Apr 2008 06:50:53 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from ZyTWBE03.ZyXEL.com ([172.23.5.49]) by zyfb01-66.zyxel.com.tw
	with Microsoft SMTPSVC(6.0.3790.1830); 
	Tue, 8 Apr 2008 14:50:51 +0800
Received: from zytwfe01.zyxel.com ([172.23.5.5]) by ZyTWBE03.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 14:50:51 +0800
Received: from [172.23.18.25] ([172.23.18.25]) by zytwfe01.zyxel.com with
	Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 14:50:51 +0800
Message-ID: <47FB15B7.8080202@zyxel.com.tw>
Date: Tue, 08 Apr 2008 14:50:31 +0800
From: blue <susan.lan@zyxel.com.tw>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 08 Apr 2008 06:50:51.0063 (UTC)
	FILETIME=[E21FF470:01C89944]
Subject: [ipsec] bug report: possible memory overwrite for IPv6 IPsec
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2008 06:50:56 -0000

Dear all:

struct secashead defined in keydb.h line 89:

/* Security Association Data Base */
struct secashead {
    LIST_ENTRY(secashead) chain;

    struct secasindex saidx;

    struct secident *idents;    /* source identity */
    struct secident *identd;    /* destination identity */
                    /* XXX I don't know how to use them. */

    u_int8_t state;            /* MATURE or DEAD. */
    LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
                    /* SA chain */
                    /* The first of this list is newer SA */

    struct route sa_route;        /* route cache */
};

The last field "sa_route" is "struct route", whose space is not enough 
for IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, 
the field could possibly be assigned with an IPv6 address.

My suggestion is to enlarge the field as struct route_in6, which could 
accommodate both IPv4 and IPv6 address.

BR,
blue