---
- branch: netbsd-8
  date: Fri Jan 26 19:51:19 UTC 2018
  files:
  - new: 1.54.2.2
    old: 1.54.2.1
    path: src/sys/netipsec/xform_ah.c
    pathrev: src/sys/netipsec/xform_ah.c@1.54.2.2
    type: modified
  id: 20180126T195119Z.906bd9d50e66efa82a1c30a0db8c0173ac3b4088
  log: "Pull up following revision(s) (requested by maxv in ticket #512):\n\tsys/netipsec/xform_ah.c:
    revision 1.75\n\tsys/netipsec/xform_ah.c: revision 1.76\nRevert a part of rev1.49
    (six months ago). The pointer given to memcpy\nwas correct.\nDiscussed with Christos
    and Ryota.\nFix a vulnerability in IPsec-IPv6-AH, that allows an attacker to remotely\ncrash
    the kernel with a single packet.\nIn this loop we need to increment 'ad' by two,
    because the length field\nof the option header does not count the size of the
    option header itself.\nIf the length is zero, then 'count' is incremented by zero,
    and there's\nan infinite loop. Beyond that, this code was written with the assumption\nthat
    since the IPv6 packet already went through the generic IPv6 option\nparser, several
    fields are guaranteed to be valid; but this assumption\ndoes not hold because
    of the missing '+2', and there's as a result a\ntriggerable buffer overflow (write
    zeros after the end of the mbuf,\npotentially to the next mbuf in memory since
    it's a pool).\nAdd the missing '+2', this place will be reinforced in separate
    commits.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/netipsec'
  unixtime: '1516996279'
  user: martin