From 97f646171ea73ca129c99b29ee399d4c7d8ae8af Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Mon, 14 May 2018 15:04:06 +0000 Subject: When walking the IPv6 header chain in IPsec output, check that the next extension header is within the packet length. Also check at the end that the IPv4 headers are not longer than the packet. reported by Maxime Villard; from markus@ via NetBSD; OK mpi@ --- sys/netinet/ipsec_output.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'sys/netinet') diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index ab65bf4f92b..2e90a2f6973 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.70 2017/11/08 16:29:20 visa Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.71 2018/05/14 15:04:05 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -321,7 +321,10 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) */ dstopt = 2; } - + if (m->m_pkthdr.len < hlen + sizeof(ip6e)) { + m_freem(m); + return EINVAL; + } /* skip this header */ m_copydata(m, hlen, sizeof(ip6e), (caddr_t)&ip6e); @@ -342,6 +345,11 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) #endif /* INET6 */ } + if (m->m_pkthdr.len < hlen) { + m_freem(m); + return EINVAL; + } + /* Non expansion policy for IPCOMP */ if (tdb->tdb_sproto == IPPROTO_IPCOMP) { if ((m->m_pkthdr.len - hlen) < tdb->tdb_compalgxform->minlen) { -- cgit v1.2.3