summaryrefslogtreecommitdiff
path: root/sys/netinet
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2018-03-14 22:38:47 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2018-03-14 22:38:47 +0000
commit8f7192ed265ed34f5398a340264a57a933dd7c45 (patch)
tree293f3f684e2e9137632ddefa068aca5243167959 /sys/netinet
parentcec372cb7b301dc76a79f7a0e79e7516c63b61ed (diff)
When processing IPsec AH packets check that the header fits into
the packet length. found by Maxime Villard; from FreeBSD; OK procter@ markus@
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/ip_ah.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 736e0d0c28e..fd16674ac93 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah.c,v 1.137 2018/02/27 09:24:56 benno Exp $ */
+/* $OpenBSD: ip_ah.c,v 1.138 2018/03/14 22:38:46 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -592,7 +592,16 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
"in SA %s/%08x\n", __func__, hl * sizeof(u_int32_t),
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
-
+ ahstat_inc(ahs_badauthl);
+ m_freem(m);
+ return EACCES;
+ }
+ if (skip + ahx->authsize + rplen > m->m_pkthdr.len) {
+ DPRINTF(("%s: bad mbuf length %d (expecting %d) "
+ "for packet in SA %s/%08x\n", __func__,
+ m->m_pkthdr.len, skip + ahx->authsize + rplen,
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
ahstat_inc(ahs_badauthl);
m_freem(m);
return EACCES;