[ipsec] bug report: possible memory overwrite for IPv6 IPsec
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Apr 8 07:40:08 UTC 2008
On Tue, 8 Apr 2008, blue wrote:
> Dear all:
>
> struct secashead defined in keydb.h line 89:
>
> /* Security Association Data Base */
> struct secashead {
> LIST_ENTRY(secashead) chain;
>
> struct secasindex saidx;
>
> struct secident *idents; /* source identity */
> struct secident *identd; /* destination identity */
> /* XXX I don't know how to use them. */
>
> u_int8_t state; /* MATURE or DEAD. */
> LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
> /* SA chain */
> /* The first of this list is newer SA */
>
> struct route sa_route; /* route cache */
> };
>
> The last field "sa_route" is "struct route", whose space is not enough for
> IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field
> could possibly be assigned with an IPv6 address.
>
> My suggestion is to enlarge the field as struct route_in6, which could
> accommodate both IPv4 and IPv6 address.
Can you please file a PR for this. Thanks.
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
More information about the freebsd-net
mailing list