diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2011-04-06 19:15:35 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2011-04-06 19:15:35 +0000 |
| commit | 38b1eafd3637f833b0f7cfa2fdf61686414f6e64 (patch) | |
| tree | ba641fc3cc7a699c8c7af1905685ef98e9bc87b0 /sys | |
| parent | 70b43498012fa8f02468f62baf89711bcabcccb5 (diff) | |
uncompress a packet with an IPcomp header only once; this prevents
endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy;
it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@;
feedback and ok matthew@, deraadt@, djm@, claudio@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ipsec_input.c | 13 | ||||
| -rw-r--r-- | sys/sys/mbuf.h | 5 |
2 files changed, 14 insertions, 4 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 1896046d44d..918b78ed837 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.101 2011/04/03 15:51:09 henning Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.102 2011/04/06 19:15:34 markus Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -141,6 +141,12 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, rip_input(m, skip, sproto); return 0; } + if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { + m_freem(m); + ipcompstat.ipcomps_pdrops++; + DPRINTF(("ipsec_common_input(): repeated decompression\n")); + return EINVAL; + } if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { m_freem(m); @@ -570,8 +576,11 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, /* Check if we had authenticated ESP. */ if (tdbp->tdb_authalgxform) m->m_flags |= M_AUTH; - } else if (sproto == IPPROTO_AH) + } else if (sproto == IPPROTO_AH) { m->m_flags |= M_AUTH | M_AUTH_AH; + } else if (sproto == IPPROTO_IPCOMP) { + m->m_flags |= M_COMP; + } #if NPF > 0 /* Add pf tag if requested. */ diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index d4160b5d23a..38bf35babc6 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.149 2011/04/05 20:31:41 henning Exp $ */ +/* $OpenBSD: mbuf.h,v 1.150 2011/04/06 19:15:34 markus Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -168,10 +168,11 @@ struct mbuf { #define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */ #define M_TUNNEL 0x1000 /* IP-in-IP added by tunnel mode IPsec */ #define M_AUTH_AH 0x2000 /* header was authenticated (AH) */ +#define M_COMP 0x4000 /* header was decompressed */ #define M_LINK0 0x8000 /* link layer specific flag */ /* flags copied when copying m_pkthdr */ -#define M_COPYFLAGS (M_PKTHDR|M_EOR|M_PROTO1|M_BCAST|M_MCAST|M_CONF|\ +#define M_COPYFLAGS (M_PKTHDR|M_EOR|M_PROTO1|M_BCAST|M_MCAST|M_CONF|M_COMP|\ M_AUTH|M_LOOP|M_TUNNEL|M_LINK0|M_VLANTAG|M_FILDROP) /* Checksumming flags */ |