From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 07:40:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 553C7106566C for ; Tue, 8 Apr 2008 07:40:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 101E58FC32 for ; Tue, 8 Apr 2008 07:40:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 5327641C759; Tue, 8 Apr 2008 09:40:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id WJP8wBC7I6n0; Tue, 8 Apr 2008 09:40:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id BFAEF41C75C; Tue, 8 Apr 2008 09:40:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 0C9D444487F; Tue, 8 Apr 2008 07:38:18 +0000 (UTC) Date: Tue, 8 Apr 2008 07:38:17 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: blue In-Reply-To: <47FB15B7.8080202@zyxel.com.tw> Message-ID: <20080408073749.D66744@maildrop.int.zabbadoz.net> References: <47FB15B7.8080202@zyxel.com.tw> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: [ipsec] bug report: possible memory overwrite for IPv6 IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 07:40:08 -0000 On Tue, 8 Apr 2008, blue wrote: > Dear all: > > struct secashead defined in keydb.h line 89: > > /* Security Association Data Base */ > struct secashead { > LIST_ENTRY(secashead) chain; > > struct secasindex saidx; > > struct secident *idents; /* source identity */ > struct secident *identd; /* destination identity */ > /* XXX I don't know how to use them. */ > > u_int8_t state; /* MATURE or DEAD. */ > LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; > /* SA chain */ > /* The first of this list is newer SA */ > > struct route sa_route; /* route cache */ > }; > > The last field "sa_route" is "struct route", whose space is not enough for > IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field > could possibly be assigned with an IPv6 address. > > My suggestion is to enlarge the field as struct route_in6, which could > accommodate both IPv4 and IPv6 address. Can you please file a PR for this. Thanks. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.