d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not allow recursive RFC3173 IPComp payload.

Browse Source 
Reviewed by:	Tavis Ormandy (taviso cmpxchg8b.com)
MFC after:	5 days
Security:	CVE-2011-1547
This commit is contained in:
Bjoern A. Zeeb 2011-04-01 14:13:49 +00:00
parent 1fe80828e7
commit dc49da9761
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sys/netipsec/xform_ipcomp.c
View File

@ -142,8 +142,29 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
struct tdb_crypto *tc;
struct cryptodesc *crdc;
struct cryptop *crp;
struct ipcomp *ipcomp;
caddr_t addr;
int hlen = IPCOMP_HLENGTH;
/*
* Check that the next header of the IPComp is not IPComp again, before
* doing any real work. Given it is not possible to do double
* compression it means someone is playing tricks on us.
*/
if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
V_ipcompstat.ipcomps_hdrops++; /*XXX*/
DPRINTF(("%s: m_pullup failed\n", __func__));
return (ENOBUFS);
}
addr = (caddr_t) mtod(m, struct ip *) + skip;
ipcomp = (struct ipcomp *)addr;
if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
m_freem(m);
V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */
DPRINTF(("%s: recursive compression detected\n", __func__));
return (EINVAL);
}
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {