Module Name: src
Committed By: maxv
Date: Wed Jan 24 14:28:13 UTC 2018
Modified Files:
src/sys/netipsec: ipsec_input.c
Log Message:
Fix the iteration: IPPROTO_FRAGMENT options are special, in the sense
that they don't have a 'length' field. It is therefore incorrect to
read ip6e.ip6e_len, it contains garbage.
I'm not sure whether this an exploitable vulnerability. Because of this
bug you could theoretically craft 'protoff', which means that you can
have the kernel patch the nxt value at the wrong place once the packet
is decrypted. Perhaps it can be used in some unusual MITM - a router that
happens to be between two IPsec hosts adds a frag6 option in the outer
IPv6 header to trigger the bug in the receiver -, but I couldn't come up
with anything worrying.
To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.55 src/sys/netipsec/ipsec_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
