---
- branch: netbsd-6
  date: Tue Mar 13 17:18:16 UTC 2018
  files:
  - new: 1.37.2.4
    old: 1.37.2.3
    path: src/sys/netipsec/xform_ah.c
    pathrev: src/sys/netipsec/xform_ah.c@1.37.2.4
    type: modified
  - new: 1.40.2.1
    old: '1.40'
    path: src/sys/netipsec/xform_esp.c
    pathrev: src/sys/netipsec/xform_esp.c@1.40.2.1
    type: modified
  - new: 1.28.8.2
    old: 1.28.8.1
    path: src/sys/netipsec/xform_ipip.c
    pathrev: src/sys/netipsec/xform_ipip.c@1.28.8.2
    type: modified
  id: 20180313T171816Z.e8b531f427825220db65c175776534e0bcb25348
  log: "Pull up following revision(s) (requested by maxv in ticket #1532):\n\tsys/netipsec/xform_ah.c:
    1.77 via patch\n\tsys/netipsec/xform_esp.c: 1.73 via patch\n\tsys/netipsec/xform_ipip.c:
    1.56-1.57 via patch\nReinforce and clarify.\n--\nAdd missing NULL check. Normally
    that's not triggerable remotely, since we\nare guaranteed that 8 bytes are valid
    at mbuf+skip.\n--\nFix use-after-free. There is a path where the mbuf gets pulled
    up without\na proper mtod afterwards:\n218     ipo = mtod(m, struct ip *);\n281
    \    m = m_pullup(m, hlen);\n232     ipo->ip_src.s_addr\nFound by Mootja.\nMeanwhile
    it seems to me that 'ipo' should be set to NULL if the inner\npacket is IPv6,
    but I'll revisit that later.\n--\nAs I said in my last commit in this file, ipo
    should be set to NULL;\notherwise the 'local address spoofing' check below is
    always wrong on\nIPv6.\n"
  module: src
  subject: 'CVS commit: [netbsd-6] src/sys/netipsec'
  unixtime: '1520961496'
  user: snj