Module Name: src
Committed By: maxv
Date: Tue Apr 17 09:06:33 UTC 2018
Modified Files:
src/sys/netipsec: ipsec_mbuf.c
Log Message:
Fix a pretty bad mistake, that has always been there.
m_adj(m1, -(m1->m_len - roff));
if (m1 != m)
m->m_pkthdr.len -= (m1->m_len - roff);
This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
when manually adjusting m->m_pkthdr.len.
Because of that, it is possible to exploit the attack I described in
uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
reliably.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/netipsec/ipsec_mbuf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
