From owner-freebsd-bugs@FreeBSD.ORG  Wed Oct  7 08:30:02 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 87956106568F
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  7 Oct 2009 08:30:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 4BBA98FC19
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  7 Oct 2009 08:30:02 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n978U1sp017454
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 7 Oct 2009 08:30:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n978U1YV017451;
	Wed, 7 Oct 2009 08:30:01 GMT (envelope-from gnats)
Resent-Date: Wed, 7 Oct 2009 08:30:01 GMT
Resent-Message-Id: <200910070830.n978U1YV017451@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Rainer Bredehorn <Bredehorn@gmx.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 61CBE1065670
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  7 Oct 2009 08:25:39 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 50B338FC19
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  7 Oct 2009 08:25:39 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n978PcOJ015421
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 7 Oct 2009 08:25:38 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n978PcWF015420;
	Wed, 7 Oct 2009 08:25:38 GMT (envelope-from nobody)
Message-Id: <200910070825.n978PcWF015420@www.freebsd.org>
Date: Wed, 7 Oct 2009 08:25:38 GMT
From: Rainer Bredehorn <Bredehorn@gmx.de>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: misc/139387: Wrong lenth of PF_KEY messages in promiscuous mode
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2009 08:30:02 -0000


>Number:         139387
>Category:       misc
>Synopsis:       Wrong lenth of PF_KEY messages in promiscuous mode
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 07 08:30:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Rainer Bredehorn
>Release:        FreeBSD 7.1
>Organization:
>Environment:
FreeBSD 7.1-RELEASE
>Description:
File: netipsec/keysock.c
Function: key_sendup0()

--------------
	if (promisc) {
		struct sadb_msg *pmsg;

		M_PREPEND(m, sizeof(struct sadb_msg), M_DONTWAIT);
		if (m && m->m_len < sizeof(struct sadb_msg))
			m = m_pullup(m, sizeof(struct sadb_msg));
		if (!m) {
			pfkeystat.in_nomem++;
			m_freem(m);
			return ENOBUFS;
		}
-------->	m->m_pkthdr.len += sizeof(*pmsg);

		pmsg = mtod(m, struct sadb_msg *);
		bzero(pmsg, sizeof(*pmsg));
		pmsg->sadb_msg_version = PF_KEY_V2;
		pmsg->sadb_msg_type = SADB_X_PROMISC;
		pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
		/* pid and seq? */

		pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
	}
-----------------

This "m->m_pkthdr.len += sizeof(*pmsg);" is not necessary, so sadb_msg_len is always 16 bytes to large.

M_PREPEND already adjusts the length of the mbuf to the correct size.

Best regards, Rainer
>How-To-Repeat:
Switch the kernel PF_KEY to promiscuous mode.
Receive promiscuous mode messages.
>Fix:
Remove the adjustment of the m_buf length ( m->m_pkthdr.len += sizeof(*pmsg); )


>Release-Note:
>Audit-Trail:
>Unformatted: