---
- branch: netbsd-8
  date: Tue Apr 17 15:06:20 UTC 2018
  files:
  - new: 1.16.2.1
    old: '1.16'
    path: src/sys/netipsec/ipsec_mbuf.c
    pathrev: src/sys/netipsec/ipsec_mbuf.c@1.16.2.1
    type: modified
  id: 20180417T150620Z.5d6b32d181bf2a75452cd200f2216cc1ce26d082
  log: "Pull up following revision(s) (requested by maxv in ticket #773):\n\n\tsys/netipsec/ipsec_mbuf.c:
    revision 1.23,1.24\n\nDon't assume M_PKTHDR is set only on the first mbuf of the
    chain. It\nshould, but it looks like there are several places that can put M_PKTHDR\non
    secondary mbufs (PR/53189), so drop this assumption right now to\nprevent further
    bugs.\n\nThe check is replaced by (m1 != m), which is equivalent to the previous\ncode:
    we want to modify m->m_pkthdr.len only when 'm' was not passed in\nm_adj().\n\nFix
    a pretty bad mistake, that has always been there.\n\n\t\tm_adj(m1, -(m1->m_len
    - roff));\n\t\tif (m1 != m)\n\t\t\tm->m_pkthdr.len -= (m1->m_len - roff);\n\nThis
    is wrong: m_adj will modify m1->m_len, so we're using a wrong value\nwhen manually
    adjusting m->m_pkthdr.len.\n\nBecause of that, it is possible to exploit the attack
    I described in\nuipc_mbuf.c::rev1.182. The exploit is more complicated, but works
    100%\nreliably.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/netipsec'
  unixtime: '1523977580'
  user: martin