---
- branch: netbsd-8
  date: Sat Mar 31 10:46:20 UTC 2018
  files:
  - new: 1.43.2.5
    old: 1.43.2.4
    path: src/sys/netipsec/ipsec_input.c
    pathrev: src/sys/netipsec/ipsec_input.c@1.43.2.5
    type: modified
  id: 20180331T104620Z.a3094d83727fb5fa37bdb6e7c3e5af191df5a7ce
  log: "Pull up following revision(s) (requested by maxv in ticket #677):\n\n\tsys/netipsec/ipsec_input.c:
    revision 1.55\n\nFix the iteration: IPPROTO_FRAGMENT options are special, in the
    sense\nthat they don't have a 'length' field. It is therefore incorrect to\nread
    ip6e.ip6e_len, it contains garbage.\n\nI'm not sure whether this an exploitable
    vulnerability. Because of this\nbug you could theoretically craft 'protoff', which
    means that you can\nhave the kernel patch the nxt value at the wrong place once
    the packet\nis decrypted. Perhaps it can be used in some unusual MITM - a router
    that\nhappens to be between two IPsec hosts adds a frag6 option in the outer\nIPv6
    header to trigger the bug in the receiver -, but I couldn't come up\nwith anything
    worrying.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/netipsec'
  unixtime: '1522493180'
  user: martin