git: 10eb2a2bde61 - main - ipsec: Validate the protocol identifier in ipsec4_ctlinput()
Mark Johnston
markj at FreeBSD.org
Fri Sep 10 13:09:22 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=10eb2a2bde616e52ae2939df90c04483383a34f7
commit 10eb2a2bde616e52ae2939df90c04483383a34f7
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-09-10 13:07:59 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-09-10 13:09:00 +0000
ipsec: Validate the protocol identifier in ipsec4_ctlinput()
key_allocsa() expects to handle only IPSec protocols and has an
assertion to this effect. However, ipsec4_ctlinput() has to handle
messages from ICMP unreachable packets and was not validating the
protocol number. In practice such a packet would simply fail to match
any SADB entries and would thus be ignored.
Reported by: syzbot+6a9ef6fcfadb9f3877fe at syzkaller.appspotmail.com
Reviewed by: ae
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31890
---
sys/netipsec/ipsec_input.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 07a3ef583be8..73202cbb528b 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -276,6 +276,7 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v)
struct icmp *icp;
struct ip *ip = v;
uint32_t pmtu, spi;
+ uint8_t proto;
if (code != PRC_MSGSIZE || ip == NULL)
return (EINVAL);
@@ -289,8 +290,13 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v)
if (pmtu < V_ip4_ipsec_min_pmtu)
return (EINVAL);
+ proto = ip->ip_p;
+ if (proto != IPPROTO_ESP && proto != IPPROTO_AH &&
+ proto != IPPROTO_IPCOMP)
+ return (EINVAL);
+
memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi));
- sav = key_allocsa((union sockaddr_union *)sa, ip->ip_p, spi);
+ sav = key_allocsa((union sockaddr_union *)sa, proto, spi);
if (sav == NULL)
return (ENOENT);
More information about the dev-commits-src-main
mailing list