settling serious conflicts between MAC and IPSEC
zhouyi zhou
zhouyi04 at ios.cn
Mon Mar 27 10:55:07 UTC 2006
High everyone, there exists a serious bug in function ipsec_copypkt(m)
of netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0
3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3470 if (mnew == NULL)
3471 goto fail;
3472 mnew->m_pkthdr = n->m_pkthdr;
3473 #if 0
3474 /* XXX: convert to m_tag or delete? */
3475 if (n->m_pkthdr.aux) {
3476 mnew->m_pkthdr.aux =
3477 m_copym(n->m_pkthdr.aux,
3478 0, M_COPYALL, M_DONTWAIT);
3479 }
3480 #endif
3481 M_MOVE_PKTHDR(mnew, n);
On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and
on line 3481, in function m_move_pkthdr, mnew's tag list will be delete (and the n's tag
of cause). This will cause system to crash.
After commenting out line 3472, everything is OK.
Sincerely yours
Zhouyi Zhou
Institute of Software
Chinese Academy of Sciences
More information about the freebsd-bugs
mailing list