CVS commit: [netbsd-4] src/sys

Jeff Rizzo Sun, 03 Apr 2011 08:16:18 -0700

Module Name:    src
Committed By:   riz
Date:           Sun Apr  3 15:16:11 UTC 2011


Modified Files:
        src/sys/netinet6 [netbsd-4]: ipcomp_input.c
        src/sys/netipsec [netbsd-4]: xform_ipcomp.c

Log Message:
Pull up following revision(s) (requested by spz in ticket #1425):
        sys/netipsec/xform_ipcomp.c: revision 1.26
        sys/netinet6/ipcomp_input.c: revision 1.37
mitigation for CVE-2011-1547
this should really be solved by counting nested headers (like in the
inet6 case) instead
mitigation for CVE-2011-1547


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.30.2.1 src/sys/netinet6/ipcomp_input.c
cvs rdiff -u -r1.8.2.1 -r1.8.2.2 src/sys/netipsec/xform_ipcomp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ipcomp_input.c
diff -u src/sys/netinet6/ipcomp_input.c:1.30 src/sys/netinet6/ipcomp_input.c:1.30.2.1
--- src/sys/netinet6/ipcomp_input.c:1.30	Thu Nov 16 01:33:45 2006
+++ src/sys/netinet6/ipcomp_input.c	Sun Apr  3 15:16:11 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipcomp_input.c,v 1.30 2006/11/16 01:33:45 christos Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.30.2.1 2011/04/03 15:16:11 riz Exp $	*/
 /*	$KAME: ipcomp_input.c,v 1.29 2001/09/04 08:43:19 itojun Exp $	*/
 
 /*
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.30 2006/11/16 01:33:45 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipcomp_input.c,v 1.30.2.1 2011/04/03 15:16:11 riz Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -140,6 +140,14 @@
 	ipcomp = mtod(md, struct ipcomp *);
 	ip = mtod(m, struct ip *);
 	nxt = ipcomp->comp_nxt;
+	if (nxt == IPPROTO_IPCOMP || nxt == IPPROTO_AH || nxt == IPPROTO_ESP) {
+		/* nested ipcomp - possible attack, not likely useful */
+		ipseclog((LOG_DEBUG, "IPv4 IPComp input: nested ipcomp "
+		         "(bailing)\n"));
+		ipsecstat.in_inval++;
+		goto fail;
+	}
+
 #ifdef _IP_VHL
 	hlen = IP_VHL_HL(ip->ip_vhl) << 2;
 #else

Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.8.2.1 src/sys/netipsec/xform_ipcomp.c:1.8.2.2
--- src/sys/netipsec/xform_ipcomp.c:1.8.2.1	Thu May 24 19:13:13 2007
+++ src/sys/netipsec/xform_ipcomp.c	Sun Apr  3 15:16:10 2011
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $	*/
+/*	$NetBSD: xform_ipcomp.c,v 1.8.2.2 2011/04/03 15:16:10 riz Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
 
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8.2.1 2007/05/24 19:13:13 pavel Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.8.2.2 2011/04/03 15:16:10 riz Exp $");
 
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #include "opt_inet.h"
@@ -297,6 +297,14 @@
 	/* Keep the next protocol field */
 	addr = (caddr_t) mtod(m, struct ip *) + skip;
 	nproto = ((struct ipcomp *) addr)->comp_nxt;
+	if (nproto == IPPROTO_IPCOMP || nproto == IPPROTO_AH || nproto == IPPROTO_ESP) {
+		ipcompstat.ipcomps_hdrops++;
+		DPRINTF(("ipcomp_input_cb: nested ipcomp, IPCA %s/%08lx\n",
+			 ipsec_address(&sav->sah->saidx.dst),
+			 (u_long) ntohl(sav->spi)));
+		error = EINVAL;
+		goto bad;
+	}
 
 	/* Remove the IPCOMP header */
 	error = m_striphdr(m, skip, hlen);

CVS commit: [netbsd-4] src/sys

Reply via email to