Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Date: Thu, 3 May 2018 14:48:26 +0000
From: "Martin Husemann" <martin@netbsd.org>
Subject: CVS commit: [netbsd-7-1] src/sys/netipsec
To: source-changes@NetBSD.org
Message-Id: <20180503144826.EFC39FBEC@cvs.NetBSD.org>
Sender: source-changes-owner@NetBSD.org
Precedence: bulk
Reply-To: source-changes-d@NetBSD.org
Mail-Reply-To: "Martin Husemann" <martin@netbsd.org>
Mail-Followup-To: source-changes-d@NetBSD.org

Module Name:	src
Committed By:	martin
Date:		Thu May  3 14:48:26 UTC 2018

Modified Files:
	src/sys/netipsec [netbsd-7-1]: ipsec_output.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1600):

	sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.


To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.40.12.1 src/sys/netipsec/ipsec_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.