Bug 177417

Summary: [ip6] Invalid protocol value in ipsec6_common_input_cb
Product: Base System Reporter: david gueluy <david.gueluy>
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description david gueluy 2013-03-27 16:50:00 UTC 
I use an IPv6 IPSEC tunnel and observe that in ipsec6_common_input_cb ( ip6_input.c), the protocol value is invalid.

The problem is that the "prot" variable is not initialized. 
It's an integer and just 1 single byte is copied from the mbuf into this variable.

Prot value will never match  IPPROTO_IPIP or  IPPROTO_IPV6

static int
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
    struct m_tag *mt)
{
        int prot, af, sproto;

        ip6 = mtod(m, struct ip6_hdr *);
        ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));

        /* Save protocol */
        m_copydata(m, protoff, 1, (unsigned char *) &prot);

--> prot = wrong value

Fix: 

int prot = 0;
How-To-Repeat: Mount an IPv6 IPSEC tunnel and check the value
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2013-03-27 23:48:07 UTC 
Responsible Changed
From-To: freebsd-amd64->freebsd-net

Over to maintainer(s).
Comment 2 dfilter service freebsd_committer freebsd_triage 2013-11-11 13:20:03 UTC 
Author: ae
Date: Mon Nov 11 13:19:55 2013
New Revision: 257987
URL: http://svnweb.freebsd.org/changeset/base/257987

Log:
  Initialize prot variable.
  
  PR:		177417
  MFC after:	1 week

Modified:
  head/sys/netipsec/ipsec_input.c

Modified: head/sys/netipsec/ipsec_input.c
==============================================================================
--- head/sys/netipsec/ipsec_input.c	Mon Nov 11 13:06:31 2013	(r257986)
+++ head/sys/netipsec/ipsec_input.c	Mon Nov 11 13:19:55 2013	(r257987)
@@ -603,6 +603,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
 
 	/* Save protocol */
+	prot = 0;
 	m_copydata(m, protoff, 1, (unsigned char *) &prot);
 
 #ifdef notyet
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 3 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-11-11 13:20:11 UTC 
State Changed
From-To: open->patched

Patched in head/.
Comment 4 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-11-11 13:20:11 UTC 
Responsible Changed
From-To: freebsd-net->ae

Take it.
Comment 5 dfilter service freebsd_committer freebsd_triage 2013-12-14 04:24:40 UTC 
Author: ae
Date: Sat Dec 14 04:24:32 2013
New Revision: 259385
URL: http://svnweb.freebsd.org/changeset/base/259385

Log:
  MFC r257987:
    Initialize prot variable.
  
    PR:		177417

Modified:
  stable/10/sys/netipsec/ipsec_input.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netipsec/ipsec_input.c
==============================================================================
--- stable/10/sys/netipsec/ipsec_input.c	Sat Dec 14 04:16:47 2013	(r259384)
+++ stable/10/sys/netipsec/ipsec_input.c	Sat Dec 14 04:24:32 2013	(r259385)
@@ -602,6 +602,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
 
 	/* Save protocol */
+	prot = 0;
 	m_copydata(m, protoff, 1, (unsigned char *) &prot);
 
 #ifdef notyet
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 6 dfilter service freebsd_committer freebsd_triage 2013-12-14 04:24:58 UTC 
Author: ae
Date: Sat Dec 14 04:24:50 2013
New Revision: 259386
URL: http://svnweb.freebsd.org/changeset/base/259386

Log:
  MFC r257987:
    Initialize prot variable.
  
    PR:		177417

Modified:
  stable/8/sys/netipsec/ipsec_input.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/netipsec/   (props changed)

Modified: stable/8/sys/netipsec/ipsec_input.c
==============================================================================
--- stable/8/sys/netipsec/ipsec_input.c	Sat Dec 14 04:24:32 2013	(r259385)
+++ stable/8/sys/netipsec/ipsec_input.c	Sat Dec 14 04:24:50 2013	(r259386)
@@ -615,6 +615,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
 
 	/* Save protocol */
+	prot = 0;
 	m_copydata(m, protoff, 1, (unsigned char *) &prot);
 
 #ifdef notyet
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 7 dfilter service freebsd_committer freebsd_triage 2013-12-14 04:27:36 UTC 
Author: ae
Date: Sat Dec 14 04:27:28 2013
New Revision: 259387
URL: http://svnweb.freebsd.org/changeset/base/259387

Log:
  MFC r257987:
    Initialize prot variable.
  
    PR:		177417

Modified:
  stable/9/sys/netipsec/ipsec_input.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/netipsec/ipsec_input.c
==============================================================================
--- stable/9/sys/netipsec/ipsec_input.c	Sat Dec 14 04:24:50 2013	(r259386)
+++ stable/9/sys/netipsec/ipsec_input.c	Sat Dec 14 04:27:28 2013	(r259387)
@@ -602,6 +602,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
 
 	/* Save protocol */
+	prot = 0;
 	m_copydata(m, protoff, 1, (unsigned char *) &prot);
 
 #ifdef notyet
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 8 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-12-14 04:27:44 UTC 
State Changed
From-To: patched->closed

Merged to stable/8, stable/9 and stable/10.