Module Name: src
Committed By: spz
Date: Fri Apr 1 08:25:02 UTC 2011
Modified Files:
src/sys/netinet6: ipcomp_input.c
Log Message:
mitigation for CVE-2011-1024
this should really be solved by counting nested headers (like in the
inet6 case) instead
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 src/sys/netinet6/ipcomp_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.36 src/sys/netinet6/ipcomp_input.c:1.37
--- src/sys/netinet6/ipcomp_input.c:1.36 Mon May 5 13:41:30 2008
+++ src/sys/netinet6/ipcomp_input.c Fri Apr 1 08:25:02 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: ipcomp_input.c,v 1.36 2008/05/05 13:41:30 ad Exp $ */
+/* $NetBSD: ipcomp_input.c,v 1.37 2011/04/01 08:25:02 spz Exp $ */
/* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */
/*
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.36 2008/05/05 13:41:30 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.37 2011/04/01 08:25:02 spz Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@@ -148,6 +148,13 @@
ipcomp = mtod(md, struct ipcomp *);
ip = mtod(m, struct ip *);
nxt = ipcomp->comp_nxt;
+ if (nxt == IPPROTO_IPCOMP || nxt == IPPROTO_AH || nxt == IPPROTO_ESP) {
+ /* nested ipcomp - possible attack, not likely useful */
+ ipseclog((LOG_DEBUG, "IPv4 IPComp input: nested ipcomp "
+ "(bailing)\n"));
+ IPSEC_STATINC(IPSEC_STAT_IN_INVAL);
+ goto fail;
+ }
hlen = ip->ip_hl << 2;
cpi = ntohs(ipcomp->comp_cpi);
