When processing IPsec AH packets check that the header fits into

the packet length.
found by Maxime Villard; from FreeBSD; OK procter@ markus@

1 files changed, 11 insertions, 2 deletions

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 736e0d0c28e..fd16674ac93 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ah.c,v 1.137 2018/02/27 09:24:56 benno Exp $ */
+/*	$OpenBSD: ip_ah.c,v 1.138 2018/03/14 22:38:46 bluhm Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -592,7 +592,16 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
 		    "in SA %s/%08x\n", __func__, hl * sizeof(u_int32_t),
 		    ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
 		    ntohl(tdb->tdb_spi)));
-
+		ahstat_inc(ahs_badauthl);
+		m_freem(m);
+		return EACCES;
+	}
+	if (skip + ahx->authsize + rplen > m->m_pkthdr.len) {
+		DPRINTF(("%s: bad mbuf length %d (expecting %d) "
+		    "for packet in SA %s/%08x\n", __func__,
+		    m->m_pkthdr.len, skip + ahx->authsize + rplen,
+		    ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+		    ntohl(tdb->tdb_spi)));
 		ahstat_inc(ahs_badauthl);
 		m_freem(m);
 		return EACCES;