settling serious conflicts between MAC and IPSEC

zhouyi zhou zhouyi04 at ios.cn
Mon Mar 27 10:55:07 UTC 2006


High everyone, there exists a serious bug in function ipsec_copypkt(m) 
of netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0

3469                                         MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3470                                         if (mnew == NULL)
3471                                                 goto fail;
3472                                         mnew->m_pkthdr = n->m_pkthdr;
3473 #if 0
3474                                         /* XXX: convert to m_tag or delete? */
3475                                         if (n->m_pkthdr.aux) {
3476                                                 mnew->m_pkthdr.aux =
3477                                                     m_copym(n->m_pkthdr.aux,
3478                                                     0, M_COPYALL, M_DONTWAIT);
3479                                         }
3480 #endif
3481                                         M_MOVE_PKTHDR(mnew, n);

On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and 
on line 3481, in function m_move_pkthdr, mnew's tag list will be delete (and the n's tag 
of cause). This will cause system to crash.

After commenting out line 3472, everything is OK.

Sincerely yours
Zhouyi Zhou
Institute of Software
Chinese Academy of Sciences


More information about the freebsd-bugs mailing list