diff options
| author | Gordon Tetlow <gordon@FreeBSD.org> | 2018-03-07 05:53:35 +0000 |
|---|---|---|
| committer | Gordon Tetlow <gordon@FreeBSD.org> | 2018-03-07 05:53:35 +0000 |
| commit | db9a031547fb7afb369eb4682b10e85a69363a64 (patch) | |
| tree | a21e24dd0852a875d26da91c7827059c1d21122f | |
| parent | 778b7c0a70931e839ad663ef880a0257a8fe3a80 (diff) | |
| download | src-test2-db9a031547fb7afb369eb4682b10e85a69363a64.tar.gz src-test2-db9a031547fb7afb369eb4682b10e85a69363a64.zip | |
Notes
| -rw-r--r-- | UPDATING | 13 | ||||
| -rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
| -rw-r--r-- | sys/netipsec/xform_ah.c | 15 |
3 files changed, 28 insertions, 2 deletions
@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20180307 p27 FreeBSD-SA-18:01.ipsec + FreeBSD-SA-18:02.ntp + FreeBSD-EN-18:01.tzdata + FreeBSD-EN-18:02.file + + Fix ipsec validation and use-after-free. [SA-18:01.ipsec] + + Fix multiple vulnerabilities in ntp. [SA-18:02.ntp] + + Update timezone database information. [EN-18:01.tzdata] + + Update file(1) to new version with security update. [EN-18:02.file] + 20171209 p26 FreeBSD-SA-17:12.openssl Fix OpenSSL error state vulnerability. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index ea4ab58c1e44..1a76473a39fd 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p26" +BRANCH="RELEASE-p27" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index afa452cac0bb..3f678414c322 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -615,6 +615,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) m_freem(m); return EACCES; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -680,6 +690,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -704,7 +717,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_nxt = ah->ah_nxt; + tc->tc_nxt = hl; tc->tc_protoff = protoff; tc->tc_skip = skip; tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */ |