From owner-freebsd-bugs@FreeBSD.ORG Tue Apr 8 11:20:01 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B54F71065677 for ; Tue, 8 Apr 2008 11:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 92A078FC34 for ; Tue, 8 Apr 2008 11:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m38BK1IJ091925 for ; Tue, 8 Apr 2008 11:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m38BK1cb091924; Tue, 8 Apr 2008 11:20:01 GMT (envelope-from gnats) Resent-Date: Tue, 8 Apr 2008 11:20:01 GMT Resent-Message-Id: <200804081120.m38BK1cb091924@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, susan.lan@zyxel.com.tw Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E2C01065685 for ; Tue, 8 Apr 2008 11:14:34 +0000 (UTC) (envelope-from atc@death.ath.cx) Received: from death.ath.cx (unknown [IPv6:2001:b121:4::213]) by mx1.freebsd.org (Postfix) with ESMTP id 042D88FC6E for ; Tue, 8 Apr 2008 11:14:33 +0000 (UTC) (envelope-from atc@death.ath.cx) Received: from death.ath.cx (localhost [127.0.0.1]) by death.ath.cx (8.13.8/8.13.8) with ESMTP id m38BEUVE091664 for ; Tue, 8 Apr 2008 19:14:31 +0800 (CST) (envelope-from atc@death.ath.cx) Received: (from root@localhost) by death.ath.cx (8.13.8/8.13.8/Submit) id m38BEU7k091663; Tue, 8 Apr 2008 19:14:30 +0800 (CST) (envelope-from atc) Message-Id: <200804081114.m38BEU7k091663@death.ath.cx> Date: Tue, 8 Apr 2008 19:14:30 +0800 (CST) From: susan.lan@zyxel.com.tw To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/122565: Possible memory overwrite for IPv6 IPsec X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: susan.lan@zyxel.com.tw List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 11:20:01 -0000 >Number: 122565 >Category: kern >Synopsis: Possible memory overwrite for IPv6 IPsec >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 08 11:20:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Yi-Wen Lan >Release: FreeBSD 7.0-STABLE i386 >Organization: >Environment: None >Description: struct secashead defined in keydb.h line 89: /* Security Association Data Base */ struct secashead { LIST_ENTRY(secashead) chain; struct secasindex saidx; struct secident *idents; /* source identity */ struct secident *identd; /* destination identity */ /* XXX I don't know how to use them. */ u_int8_t state; /* MATURE or DEAD. */ LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; /* SA chain */ /* The first of this list is newer SA */ struct route sa_route; /* route cache */ }; The last field "sa_route" is "struct route", whose space is not enough for IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field could possibly be assigned with an IPv6 address. >How-To-Repeat: None >Fix: To enlarge the field as struct route_in6, which could accommodate both IPv4 and IPv6 address. >Release-Note: >Audit-Trail: >Unformatted: