diff options
| author | gordon <gordon@FreeBSD.org> | 2018-03-07 05:53:35 +0000 |
|---|---|---|
| committer | gordon <gordon@FreeBSD.org> | 2018-03-07 05:53:35 +0000 |
| commit | 722c1ce56e86ad17ed56adee959f19b00bc1ca93 (patch) | |
| tree | 7f09cf7ff7b5c7dd41e65375c4105e119646b63f | |
| parent | f9756700e2c7432a9b1f88dc9874a7c51a9fde62 (diff) | |
| download | FreeBSD-src-722c1ce56e86ad17ed56adee959f19b00bc1ca93.zip FreeBSD-src-722c1ce56e86ad17ed56adee959f19b00bc1ca93.tar.gz | |
Fix ipsec validation and use-after-free. [SA-18:01.ipsec]
Approved by: so
Security: FreeBSD-SA-18:01.ipsec
Security: CVE-2018-6916
| -rw-r--r-- | UPDATING | 13 | ||||
| -rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
| -rw-r--r-- | sys/netipsec/xform_ah.c | 15 |
3 files changed, 28 insertions, 2 deletions
@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20180307 p7 FreeBSD-SA-18:01.ipsec + FreeBSD-SA-18:02.ntp + FreeBSD-EN-18:01.tzdata + FreeBSD-EN-18:02.file + + Fix ipsec validation and use-after-free. [SA-18:01.ipsec] + + Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] + + Update timezone database information. [EN-18:01.tzdata] + + Update file(1) to new version with security update. [EN-18:02.file] + 20171209 p6 FreeBSD-SA-17:12.openssl Fix multiple vulnerabilities of OpenSSL. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 75b4847..0a0893e 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.1" -BRANCH="RELEASE-p6" +BRANCH="RELEASE-p7" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index fada7b7..98d22f5 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -598,6 +598,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) error = EACCES; goto bad; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -642,6 +652,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -664,7 +677,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) /* These are passed as-is to the callback. */ xd->sav = sav; - xd->nxt = ah->ah_nxt; + xd->nxt = hl; xd->protoff = protoff; xd->skip = skip; xd->cryptoid = cryptoid; |
