diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-05-14 15:04:06 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-05-14 15:04:06 +0000 |
| commit | 97f646171ea73ca129c99b29ee399d4c7d8ae8af (patch) | |
| tree | 0619ea3e783640de4cdcadf9ba055f7c3004143d /sys/netinet | |
| parent | 48123c1f8f089dc9c8fcad8fde5dce33e3933d11 (diff) | |
When walking the IPv6 header chain in IPsec output, check that the
next extension header is within the packet length. Also check at
the end that the IPv4 headers are not longer than the packet.
reported by Maxime Villard; from markus@ via NetBSD; OK mpi@
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ipsec_output.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index ab65bf4f92b..2e90a2f6973 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.70 2017/11/08 16:29:20 visa Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.71 2018/05/14 15:04:05 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -321,7 +321,10 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) */ dstopt = 2; } - + if (m->m_pkthdr.len < hlen + sizeof(ip6e)) { + m_freem(m); + return EINVAL; + } /* skip this header */ m_copydata(m, hlen, sizeof(ip6e), (caddr_t)&ip6e); @@ -342,6 +345,11 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) #endif /* INET6 */ } + if (m->m_pkthdr.len < hlen) { + m_freem(m); + return EINVAL; + } + /* Non expansion policy for IPCOMP */ if (tdb->tdb_sproto == IPPROTO_IPCOMP) { if ((m->m_pkthdr.len - hlen) < tdb->tdb_compalgxform->minlen) { |