FreeBSD Bugzilla – Attachment 208061 Details for
Bug 241010
netipsec: key_dup_keymsg bcopy too much bytes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
check and use sadb_key_bits
fix_key_dup_keymsg_with_check.patch (text/plain), 1.88 KB, created by
Jean-François Hren
on 2019-10-03 15:29:13 UTC
(
hide
)
Description:
check and use sadb_key_bits
Filename:
MIME Type:
Creator:
Jean-François Hren
Created:
2019-10-03 15:29:13 UTC
Size:
1.88 KB
patch
obsolete
>--- key.c.orig 2019-10-02 15:10:03.942663289 +0200 >+++ key.c 2019-10-03 17:18:22.904198382 +0200 >@@ -675,7 +675,7 @@ > static struct mbuf *key_setsadbxsareplay(u_int32_t); > static struct mbuf *key_setsadbxpolicy(u_int16_t, u_int8_t, > u_int32_t, u_int32_t); >-static struct seckey *key_dup_keymsg(const struct sadb_key *, size_t, >+static struct seckey *key_dup_keymsg(const struct sadb_key *, > struct malloc_type *); > static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src, > struct malloc_type *); >@@ -3400,6 +3400,8 @@ > if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && > sav->alg_auth != SADB_X_AALG_NULL) > error = EINVAL; >+ if ((sizeof(struct sadb_key) + (key0->sadb_key_bits >> 3)) > len) >+ error = EINVAL; > break; > case SADB_X_SATYPE_IPCOMP: > default: >@@ -3412,7 +3414,7 @@ > goto fail; > } > >- sav->key_auth = key_dup_keymsg(key0, len, M_IPSEC_MISC); >+ sav->key_auth = key_dup_keymsg(key0, M_IPSEC_MISC); > if (sav->key_auth == NULL ) { > ipseclog((LOG_DEBUG, "%s: No more memory.\n", > __func__)); >@@ -3438,7 +3440,11 @@ > error = EINVAL; > break; > } >- sav->key_enc = key_dup_keymsg(key0, len, M_IPSEC_MISC); >+ if ((sizeof(struct sadb_key) + (key0->sadb_key_bits >> 3)) > len) { >+ error = EINVAL; >+ break; >+ } >+ sav->key_enc = key_dup_keymsg(key0, M_IPSEC_MISC); > if (sav->key_enc == NULL) { > ipseclog((LOG_DEBUG, "%s: No more memory.\n", > __func__)); >@@ -4064,13 +4070,15 @@ > * OUT: NULL no more memory > */ > struct seckey * >-key_dup_keymsg(const struct sadb_key *src, size_t len, >+key_dup_keymsg(const struct sadb_key *src, > struct malloc_type *type) > { > struct seckey *dst; >+ size_t len; > > dst = malloc(sizeof(*dst), type, M_NOWAIT); > if (dst != NULL) { >+ len = src->sadb_key_bits >> 3; > dst->bits = src->sadb_key_bits; > dst->key_data = malloc(len, type, M_NOWAIT); > if (dst->key_data != NULL) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=208061">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 241010
:
208030
| 208061