Module Name: src Committed By: riz Date: Sun Apr 3 15:15:09 UTC 2011
Modified Files: src/sys/netinet6 [netbsd-4-0]: ipcomp_input.c src/sys/netipsec [netbsd-4-0]: xform_ipcomp.c Log Message: Pull up following revision(s) (requested by spz in ticket #1425): sys/netipsec/xform_ipcomp.c: revision 1.26 sys/netinet6/ipcomp_input.c: revision 1.37 mitigation for CVE-2011-1547 this should really be solved by counting nested headers (like in the inet6 case) instead mitigation for CVE-2011-1547 To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.30.12.1 src/sys/netinet6/ipcomp_input.c cvs rdiff -u -r1.8.2.1 -r1.8.2.1.4.1 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/ipcomp_input.c diff -u src/sys/netinet6/ipcomp_input.c:1.30 src/sys/netinet6/ipcomp_input.c:1.30.12.1 --- src/sys/netinet6/ipcomp_input.c:1.30 Thu Nov 16 01:33:45 2006 +++ src/sys/netinet6/ipcomp_input.c Sun Apr 3 15:15:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: ipcomp_input.c,v 1.30 2006/11/16 01:33:45 christos Exp $ */ +/* $NetBSD: ipcomp_input.c,v 1.30.12.1 2011/04/03 15:15:09 riz Exp $ */ /* $KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $ */ /* @@ -35,7 +35,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.30 2006/11/16 01:33:45 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.30.12.1 2011/04/03 15:15:09 riz Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -140,6 +140,14 @@ ipcomp = mtod(md, struct ipcomp *); ip = mtod(m, struct ip *); nxt = ipcomp->comp_nxt; + if (nxt == IPPROTO_IPCOMP || nxt == IPPROTO_AH || nxt == IPPROTO_ESP) { + /* nested ipcomp - possible attack, not likely useful */ + ipseclog((LOG_DEBUG, "IPv4 IPComp input: nested ipcomp " + "(bailing)\n")); + ipsecstat.in_inval++; + goto fail; + } + #ifdef _IP_VHL hlen = IP_VHL_HL(ip->ip_vhl) << 2; #else Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.8.2.1 src/sys/netipsec/xform_ipcomp.c:1.8.2.1.4.1 --- src/sys/netipsec/xform_ipcomp.c:1.8.2.1 Thu May 24 19:13:13 2007 +++ src/sys/netipsec/xform_ipcomp.c Sun Apr 3 15:15:09 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.8.2.1.4.1 2011/04/03 15:15:09 riz Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8.2.1.4.1 2011/04/03 15:15:09 riz Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #include "opt_inet.h" @@ -297,6 +297,14 @@ /* Keep the next protocol field */ addr = (caddr_t) mtod(m, struct ip *) + skip; nproto = ((struct ipcomp *) addr)->comp_nxt; + if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) { + ipcompstat.ipcomps_hdrops++; + DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n", + ipsec_address(&sav->sah->saidx.dst), + (u_long) ntohl(sav->spi))); + error = EINVAL; + goto bad; + } /* Remove the IPCOMP header */ error = m_striphdr(m, skip, hlen);