svn commit: r220247 - head/sys/netipsec
Bjoern A. Zeeb
bz at FreeBSD.org
Fri Apr 1 14:13:50 UTC 2011
Author: bz
Date: Fri Apr 1 14:13:49 2011
New Revision: 220247
URL: http://svn.freebsd.org/changeset/base/220247
Log:
Do not allow recursive RFC3173 IPComp payload.
Reviewed by: Tavis Ormandy (taviso cmpxchg8b.com)
MFC after: 5 days
Security: CVE-2011-1547
Modified:
head/sys/netipsec/xform_ipcomp.c
Modified: head/sys/netipsec/xform_ipcomp.c
==============================================================================
--- head/sys/netipsec/xform_ipcomp.c Fri Apr 1 14:04:36 2011 (r220246)
+++ head/sys/netipsec/xform_ipcomp.c Fri Apr 1 14:13:49 2011 (r220247)
@@ -142,8 +142,29 @@ ipcomp_input(struct mbuf *m, struct seca
struct tdb_crypto *tc;
struct cryptodesc *crdc;
struct cryptop *crp;
+ struct ipcomp *ipcomp;
+ caddr_t addr;
int hlen = IPCOMP_HLENGTH;
+ /*
+ * Check that the next header of the IPComp is not IPComp again, before
+ * doing any real work. Given it is not possible to do double
+ * compression it means someone is playing tricks on us.
+ */
+ if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
+ V_ipcompstat.ipcomps_hdrops++; /*XXX*/
+ DPRINTF(("%s: m_pullup failed\n", __func__));
+ return (ENOBUFS);
+ }
+ addr = (caddr_t) mtod(m, struct ip *) + skip;
+ ipcomp = (struct ipcomp *)addr;
+ if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
+ m_freem(m);
+ V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */
+ DPRINTF(("%s: recursive compression detected\n", __func__));
+ return (EINVAL);
+ }
+
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {
More information about the svn-src-all
mailing list