Page MenuHomeFreeBSD

D11796.diff
No OneTemporary

D11796.diff

Index: head/sys/netipsec/key.c
===================================================================
--- head/sys/netipsec/key.c
+++ head/sys/netipsec/key.c
@@ -1403,7 +1403,8 @@
while (tlen > 0) {
/* length check */
- if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
+ if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr) ||
+ xisr->sadb_x_ipsecrequest_len > tlen) {
ipseclog((LOG_DEBUG, "%s: invalid ipsecrequest "
"length.\n", __func__));
key_freesp(&newsp);
@@ -1517,10 +1518,12 @@
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
struct sockaddr *paddr;
+ len = tlen - sizeof(*xisr);
paddr = (struct sockaddr *)(xisr + 1);
/* validity check */
- if (paddr->sa_len
- > sizeof(isr->saidx.src)) {
+ if (len < sizeof(struct sockaddr) ||
+ len < 2 * paddr->sa_len ||
+ paddr->sa_len > sizeof(isr->saidx.src)) {
ipseclog((LOG_DEBUG, "%s: invalid "
"request address length.\n",
__func__));
@@ -1528,13 +1531,26 @@
*error = EINVAL;
return NULL;
}
+ /*
+ * Request length should be enough to keep
+ * source and destination addresses.
+ */
+ if (xisr->sadb_x_ipsecrequest_len <
+ sizeof(*xisr) + 2 * paddr->sa_len) {
+ ipseclog((LOG_DEBUG, "%s: invalid "
+ "ipsecrequest length.\n",
+ __func__));
+ key_freesp(&newsp);
+ *error = EINVAL;
+ return (NULL);
+ }
bcopy(paddr, &isr->saidx.src, paddr->sa_len);
paddr = (struct sockaddr *)((caddr_t)paddr +
paddr->sa_len);
/* validity check */
- if (paddr->sa_len
- > sizeof(isr->saidx.dst)) {
+ if (paddr->sa_len !=
+ isr->saidx.src.sa.sa_len) {
ipseclog((LOG_DEBUG, "%s: invalid "
"request address length.\n",
__func__));

File Metadata

Mime Type
text/plain
Expires
Wed, Jul 1, 3:16 PM (14 h, 24 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
34566922
Default Alt Text
D11796.diff (1 KB)

Event Timeline