From 7945dbb7bd8e4ee97efa0e69f1beb58618e87ab9 Mon Sep 17 00:00:00 2001
From: sam <sam@FreeBSD.org>
Date: Wed, 13 Aug 2003 22:36:24 +0000
Subject: make sure the packets contains a complete inner header for
 ip{4,6}-in-ip{4,6} encapsulation; fixes panic for truncated ip-in-ip over
 ipsec

Submitted by:	Markus Friedl <markus@openbsd.org>
Obtained from:	OpenBSD (rev 1.66 ipsec_input.c)
---
 sys/netipsec/ipsec_input.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'sys/netipsec/ipsec_input.c')

diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index fb64a05..17e5218 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -323,6 +323,13 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 	if (prot == IPPROTO_IPIP) {
 		struct ip ipn;
 
+		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
+			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			    ahstat.ahs_hdrops,
+			    ipcompstat.ipcomps_hdrops);
+			error = EINVAL;
+			goto bad;
+		}
 		/* ipn will now contain the inner IPv4 header */
 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip),
 		    (caddr_t) &ipn);
@@ -362,6 +369,13 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 	if (prot == IPPROTO_IPV6) {
 		struct ip6_hdr ip6n;
 
+		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
+			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			    ahstat.ahs_hdrops,
+			    ipcompstat.ipcomps_hdrops);
+			error = EINVAL;
+			goto bad;
+		}
 		/* ip6n will now contain the inner IPv6 header. */
 		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr),
 		    (caddr_t) &ip6n);
@@ -633,6 +647,13 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
 	if (prot == IPPROTO_IPIP) {
 		struct ip ipn;
 
+		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
+			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			    ahstat.ahs_hdrops,
+			    ipcompstat.ipcomps_hdrops);
+			error = EINVAL;
+			goto bad;
+		}
 		/* ipn will now contain the inner IPv4 header */
 		m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn);
 
@@ -668,6 +689,13 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
 	if (prot == IPPROTO_IPV6) {
 		struct ip6_hdr ip6n;
 
+		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
+			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+			    ahstat.ahs_hdrops,
+			    ipcompstat.ipcomps_hdrops);
+			error = EINVAL;
+			goto bad;
+		}
 		/* ip6n will now contain the inner IPv6 header. */
 		m_copydata(m, skip, sizeof(struct ip6_hdr),
 		    (caddr_t) &ip6n);
-- 
cgit v1.1