Date: Tue, 8 Apr 2008 19:14:30 +0800 (CST) From: susan.lan@zyxel.com.tw To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/122565: Possible memory overwrite for IPv6 IPsec Message-ID: <200804081114.m38BEU7k091663@death.ath.cx> Resent-Message-ID: <200804081120.m38BK1cb091924@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 122565
>Category: kern
>Synopsis: Possible memory overwrite for IPv6 IPsec
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 08 11:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Yi-Wen Lan
>Release: FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
None
>Description:
struct secashead defined in keydb.h line 89:
/* Security Association Data Base */
struct secashead {
LIST_ENTRY(secashead) chain;
struct secasindex saidx;
struct secident *idents; /* source identity */
struct secident *identd; /* destination identity */
/* XXX I don't know how to use them. */
u_int8_t state; /* MATURE or DEAD. */
LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
/* SA chain */
/* The first of this list is newer SA */
struct route sa_route; /* route cache */
};
The last field "sa_route" is "struct route", whose space is not enough for IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field could possibly be assigned with an IPv6 address.
>How-To-Repeat:
None
>Fix:
To enlarge the field as struct route_in6, which could accommodate both IPv4 and IPv6 address.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804081114.m38BEU7k091663>