diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2009-10-28 21:03:18 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2009-10-28 21:03:18 +0000 |
| commit | a17e248f9a93f38f7b303975e16a8be057bf0ee9 (patch) | |
| tree | ea3c9e41ab3bfec6d80a2f7332b31823cb5b97b0 /sys/netinet6 | |
| parent | cbb354c6b63eda7b79f4c2b5cbd1839f5e364a9b (diff) | |
*NULL store in IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL,
IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on
userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not
sparc64), sh, ...) on OpenBSD 4.3 or older
copy of the ipv4 bug, spotted by claudio
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/ip6_output.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 75a1e2e0bad..565ca1b88b3 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.107 2009/10/06 21:21:48 claudio Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.108 2009/10/28 21:03:17 deraadt Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -1914,6 +1914,7 @@ do { \ case IPV6_ESP_TRANS_LEVEL: case IPV6_ESP_NETWORK_LEVEL: case IPV6_IPCOMP_LEVEL: + *mp = m = m_get(M_WAIT, MT_SOOPTS); #ifndef IPSEC m->m_len = sizeof(int); *mtod(m, int *) = IPSEC_LEVEL_NONE; |