| Summary: | netipsec: kdebug_sadb invalid length check for sadb_ext_len | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Tobias Heider <me> | ||||||
| Component: | kern | Assignee: | freebsd-net (Nobody) <net> | ||||||
| Status: | New --- | ||||||||
| Severity: | Affects Only Me | CC: | me | ||||||
| Priority: | --- | ||||||||
| Version: | CURRENT | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
Created attachment 248911 [details]
Updated Fix
Here's an updated diff. We can move extlen a few lines up and use that instead.
|
Created attachment 248900 [details] Patch Besides not doing any sufficient check that the length of a parsed message is not bigger than the actual allocated buffer, kdebug_sadb() incorrectly compares ext->sadb_ext_len, the extension payload size in 8 byte chunks, with tlen, which is the full message payload size in bytes. This should compare PFKEY_UNUNIT64(ext->sadb_ext_len) with tlen instead. fix attached.