diff options
author | Bjoern A. Zeeb <bz@FreeBSD.org> | 2011-04-01 14:13:49 +0000 |
---|---|---|
committer | Bjoern A. Zeeb <bz@FreeBSD.org> | 2011-04-01 14:13:49 +0000 |
commit | dc49da9761be67e7429cfc02fd8893dd15336662 (patch) | |
tree | f33a9f12ce08fdea9e5e28a45c7bf4cd355ab29c /sys/netipsec | |
parent | 1fe80828e72af1c4f17f946eb8fe0d4070ae22c7 (diff) | |
download | src-dc49da9761be67e7429cfc02fd8893dd15336662.tar.gz src-dc49da9761be67e7429cfc02fd8893dd15336662.zip |
Do not allow recursive RFC3173 IPComp payload.
Reviewed by: Tavis Ormandy (taviso cmpxchg8b.com)
MFC after: 5 days
Security: CVE-2011-1547
Notes
Notes:
svn path=/head/; revision=220247
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/xform_ipcomp.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 5b2032a31cd5..41381e7dbc2f 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -142,8 +142,29 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; + struct ipcomp *ipcomp; + caddr_t addr; int hlen = IPCOMP_HLENGTH; + /* + * Check that the next header of the IPComp is not IPComp again, before + * doing any real work. Given it is not possible to do double + * compression it means someone is playing tricks on us. + */ + if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) { + V_ipcompstat.ipcomps_hdrops++; /*XXX*/ + DPRINTF(("%s: m_pullup failed\n", __func__)); + return (ENOBUFS); + } + addr = (caddr_t) mtod(m, struct ip *) + skip; + ipcomp = (struct ipcomp *)addr; + if (ipcomp->comp_nxt == IPPROTO_IPCOMP) { + m_freem(m); + V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */ + DPRINTF(("%s: recursive compression detected\n", __func__)); + return (EINVAL); + } + /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { |