9ecab3344c
Fix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely crash the kernel with a single packet. In this loop we need to increment 'ad' by two, because the length field of the option header does not count the size of the option header itself. If the length is zero, then 'count' is incremented by zero, and there's an infinite loop. Beyond that, this code was written with the assumption that since the IPv6 packet already went through the generic IPv6 option parser, several fields are guaranteed to be valid; but this assumption does not hold because of the missing '+2', and there's as a result a triggerable buffer overflow (write zeros after the end of the mbuf, potentially to the next mbuf in memory since it's a pool). Add the missing '+2', this place will be reinforced in separate commits. Reported by: Maxime Villard <maxv at NetBSD.org> MFC after: 1 week |
||
---|---|---|
.. | ||
ah_var.h | ||
ah.h | ||
esp_var.h | ||
esp.h | ||
ipcomp_var.h | ||
ipcomp.h | ||
ipsec6.h | ||
ipsec_input.c | ||
ipsec_mbuf.c | ||
ipsec_mod.c | ||
ipsec_output.c | ||
ipsec_pcb.c | ||
ipsec_support.h | ||
ipsec.c | ||
ipsec.h | ||
key_debug.c | ||
key_debug.h | ||
key_var.h | ||
key.c | ||
key.h | ||
keydb.h | ||
keysock.c | ||
keysock.h | ||
subr_ipsec.c | ||
udpencap.c | ||
xform_ah.c | ||
xform_esp.c | ||
xform_ipcomp.c | ||
xform_tcp.c | ||
xform.h |