Extend these #ifdef notyet. The m_copydata's in these branches are wrong,
we are not guaranteed to have enough room for another struct ip, and we may crash here. Triggerable remotely, but after authentication, by sending an AH packet that has a one-byte-sized IPIP payload.
This commit is contained in:
parent
ecb11c8936
commit
ff46a2a32a
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ipsec_input.c,v 1.56 2018/02/08 20:57:41 maxv Exp $ */
|
||||
/* $NetBSD: ipsec_input.c,v 1.57 2018/02/21 16:08:55 maxv Exp $ */
|
||||
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
|
||||
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
|
||||
|
||||
|
@ -39,7 +39,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.56 2018/02/08 20:57:41 maxv Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.57 2018/02/21 16:08:55 maxv Exp $");
|
||||
|
||||
/*
|
||||
* IPsec input processing.
|
||||
|
@ -384,14 +384,15 @@ cantpull:
|
|||
|
||||
prot = ip->ip_p;
|
||||
|
||||
#ifdef notyet
|
||||
/* IP-in-IP encapsulation */
|
||||
if (prot == IPPROTO_IPIP) {
|
||||
struct ip ipn;
|
||||
|
||||
/* ipn will now contain the inner IPv4 header */
|
||||
/* XXX: check m_pkthdr.len */
|
||||
m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), &ipn);
|
||||
|
||||
#ifdef notyet
|
||||
/* XXX PROXY address isn't recorded in SAH */
|
||||
/*
|
||||
* Check that the inner source address is the same as
|
||||
|
@ -420,7 +421,6 @@ cantpull:
|
|||
error = EACCES;
|
||||
goto bad;
|
||||
}
|
||||
#endif /*XXX*/
|
||||
}
|
||||
#if INET6
|
||||
/* IPv6-in-IP encapsulation. */
|
||||
|
@ -428,9 +428,9 @@ cantpull:
|
|||
struct ip6_hdr ip6n;
|
||||
|
||||
/* ip6n will now contain the inner IPv6 header. */
|
||||
/* XXX: check m_pkthdr.len */
|
||||
m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), &ip6n);
|
||||
|
||||
#ifdef notyet
|
||||
/*
|
||||
* Check that the inner source address is the same as
|
||||
* the proxy address, if available.
|
||||
|
@ -458,9 +458,9 @@ cantpull:
|
|||
error = EACCES;
|
||||
goto bad;
|
||||
}
|
||||
#endif /*XXX*/
|
||||
}
|
||||
#endif /* INET6 */
|
||||
#endif /* notyet */
|
||||
|
||||
key_sa_recordxfer(sav, m); /* record data transfer */
|
||||
|
||||
|
|
Loading…
Reference in New Issue