Page MenuHomeFreeBSD

ipsec: Validate the protocol identifier in ipsec4_ctlinput()
ClosedPublic

Authored by markj on Sep 9 2021, 5:11 PM.
Tags
None
Referenced Files
F131791967: D31890.diff
Sat, Oct 11, 5:02 AM
F131726794: D31890.diff
Fri, Oct 10, 4:37 PM
Unknown Object (File)
Mon, Sep 29, 1:20 AM
Unknown Object (File)
Wed, Sep 24, 9:36 PM
Unknown Object (File)
Wed, Sep 24, 12:43 PM
Unknown Object (File)
Wed, Sep 24, 3:00 AM
Unknown Object (File)
Fri, Sep 12, 9:34 PM
Unknown Object (File)
Thu, Sep 11, 9:53 AM
Subscribers

Details

Summary

key_allocsa() expects to handle only IPSec protocols and has an
assertion to this effect. However, ipsec4_ctlinput() has to handle
messages from ICMP unreachable packets and was not validating the
protocol number. In practice I believe such a packet would simply fail
to match any SADB entries and would thus be ignored.

Reported by: syzbot+6a9ef6fcfadb9f3877fe@syzkaller.appspotmail.com

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable