git: 0c5701ff8fdf - stable/14 - pfkey: Fix some checks in kdebug_sadb()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 18 Dec 2024 13:46:52 UTC
The branch stable/14 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=0c5701ff8fdf9103446f605fcab29608f4715338
commit 0c5701ff8fdf9103446f605fcab29608f4715338
Author: Tobias Heider <me@tobhe.me>
AuthorDate: 2024-12-04 01:13:41 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-12-18 13:43:42 +0000
pfkey: Fix some checks in kdebug_sadb()
Besides not doing any sufficient check that the length of a parsed
message is not bigger than the actual allocated buffer, kdebug_sadb()
incorrectly compares ext->sadb_ext_len, the extension payload size in 8
byte chunks, with tlen, which is the full message payload size in bytes.
This should compare PFKEY_UNUNIT64(ext->sadb_ext_len) with tlen instead.
PR: 277456
MFC after: 2 weeks
(cherry picked from commit 0dab21248bc9fab09e92b0c037303c921ebb1b8d)
---
sys/netipsec/key_debug.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c
index dcb542b22ad8..017105e78f2b 100644
--- a/sys/netipsec/key_debug.c
+++ b/sys/netipsec/key_debug.c
@@ -189,11 +189,12 @@ kdebug_sadb(struct sadb_msg *base)
ext->sadb_ext_len, ext->sadb_ext_type,
kdebug_sadb_exttype(ext->sadb_ext_type));
- if (ext->sadb_ext_len == 0) {
+ extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
+ if (extlen == 0) {
printf("%s: invalid ext_len=0 was passed.\n", __func__);
return;
}
- if (ext->sadb_ext_len > tlen) {
+ if (extlen > tlen) {
printf("%s: ext_len too big (%u > %u).\n",
__func__, ext->sadb_ext_len, tlen);
return;
@@ -257,7 +258,6 @@ kdebug_sadb(struct sadb_msg *base)
return;
}
- extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
tlen -= extlen;
ext = (struct sadb_ext *)((caddr_t)ext + extlen);
}