Date: Fri, 1 Apr 2011 14:13:50 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r220247 - head/sys/netipsec Message-ID: <201104011413.p31EDowO048059@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Fri Apr 1 14:13:49 2011 New Revision: 220247 URL: http://svn.freebsd.org/changeset/base/220247 Log: Do not allow recursive RFC3173 IPComp payload. Reviewed by: Tavis Ormandy (taviso cmpxchg8b.com) MFC after: 5 days Security: CVE-2011-1547 Modified: head/sys/netipsec/xform_ipcomp.c Modified: head/sys/netipsec/xform_ipcomp.c ============================================================================== --- head/sys/netipsec/xform_ipcomp.c Fri Apr 1 14:04:36 2011 (r220246) +++ head/sys/netipsec/xform_ipcomp.c Fri Apr 1 14:13:49 2011 (r220247) @@ -142,8 +142,29 @@ ipcomp_input(struct mbuf *m, struct seca struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; + struct ipcomp *ipcomp; + caddr_t addr; int hlen = IPCOMP_HLENGTH; + /* + * Check that the next header of the IPComp is not IPComp again, before + * doing any real work. Given it is not possible to do double + * compression it means someone is playing tricks on us. + */ + if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) { + V_ipcompstat.ipcomps_hdrops++; /*XXX*/ + DPRINTF(("%s: m_pullup failed\n", __func__)); + return (ENOBUFS); + } + addr = (caddr_t) mtod(m, struct ip *) + skip; + ipcomp = (struct ipcomp *)addr; + if (ipcomp->comp_nxt == IPPROTO_IPCOMP) { + m_freem(m); + V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */ + DPRINTF(("%s: recursive compression detected\n", __func__)); + return (EINVAL); + } + /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201104011413.p31EDowO048059>