Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Mar 2006 05:21:50 -0500
From:      Tom Rhodes <trhodes@FreeBSD.org>
To:        Robert Watson <rwatson@FreeBSD.org>
Cc:        gnn@FreeBSD.org, freebsd-bugs@FreeBSD.org, bz@FreeBSD.org, trustedbsd-discuss@FreeBSD.org, zhouyi04@ios.cn
Subject:   Re: settling serious conflicts between MAC and IPSEC
Message-ID:  <20060328052150.5f96e147.trhodes@FreeBSD.org>
In-Reply-To: <20060328095916.A19236@fledge.watson.org>
References:  <20060327184013.6d60173c.zhouyi04@ios.cn> <20060328095916.A19236@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 28 Mar 2006 10:02:39 +0000 (GMT)
Robert Watson <rwatson@FreeBSD.org> wrote:

> 
> On Mon, 27 Mar 2006, zhouyi zhou wrote:
> 
> > High everyone, there exists a serious bug in function ipsec_copypkt(m) of 
> > netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0
> >
> > 3469                                         MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
> > 3470                                         if (mnew == NULL)
> > 3471                                                 goto fail;
> > 3472                                         mnew->m_pkthdr = n->m_pkthdr;
> > 3473 #if 0
> > 3474                                         /* XXX: convert to m_tag or delete? */
> > 3475                                         if (n->m_pkthdr.aux) {
> > 3476                                                 mnew->m_pkthdr.aux =
> > 3477                                                     m_copym(n->m_pkthdr.aux,
> > 3478                                                     0, M_COPYALL, M_DONTWAIT);
> > 3479                                         }
> > 3480 #endif
> > 3481                                         M_MOVE_PKTHDR(mnew, n);
> >
> > On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and on line 3481, in 
> > function m_move_pkthdr, mnew's tag list will be delete (and the n's tag of 
> > cause). This will cause system to crash.
> >
> > After commenting out line 3472, everything is OK.
> 
> Thanks for this report!  The M_MOVE_PKTHDR() should do all the necessary work, 
> including copying the fields referenced in 3472, as well as handling existing 
> m_tags right.  I've attached a patch with your proposal, which looks and 
> sounds good to me, and CC'd George and Bjoern in the hopes that one of them 
> will give it a node of approval before I commit it -- hopefully we can get 
> this MFC'd for 6.1-RELEASE.
> 
> Robert N M Watson
> 

Should also close kern/94599

-- 
Tom Rhodes

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060328052150.5f96e147.trhodes>