---
- branch: netbsd-8
  date: Sat May  5 19:31:33 UTC 2018
  files:
  - new: 1.48.2.3
    old: 1.48.2.2
    path: src/sys/netipsec/ipsec_output.c
    pathrev: src/sys/netipsec/ipsec_output.c@1.48.2.3
    type: modified
  id: 20180505T193133Z.e7641afbd3c47297cbc57903b41c1fcdbe95d8f3
  log: "Pull up following revision(s) (requested by maxv in ticket #799):\n\n\tsys/netipsec/ipsec_output.c:
    revision 1.75\n\tsys/netipsec/ipsec_output.c: revision 1.67\n\nStrengthen this
    check, to make sure there is room for an ip6_ext structure.\nSeems possible to
    crash m_copydata here (but I didn't test more than that).\n\nFix the checks in
    compute_ipsec_pos, otherwise m_copydata could crash. I\nalready fixed half of
    the problem two months ago in rev1.67, back then I\nthought it was not triggerable
    because each packet we emit is guaranteed\nto have correctly formed IPv6 options;
    but it is actually triggerable via\nIPv6 forwarding, we emit a packet we just
    received, and we don't sanitize\nits options before invoking IPsec.\n\nSince it
    would be wrong to just stop the iteration and continue the IPsec\nprocessing,
    allow compute_ipsec_pos to fail, and when it does, drop the\npacket entirely.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/netipsec'
  unixtime: '1525548693'
  user: martin