Apply by doing
       cd /usr/src/sys/netinet
       patch -p0 < ipsec.patch

And then rebuild your kernel.

Index: src/sys/netinet/ip_esp_new.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp_new.c,v
retrieving revision 1.9
diff -u -r1.9 ip_esp_new.c
--- ip_esp_new.c        1997/10/02 02:31:04     1.9
+++ ip_esp_new.c        1998/05/05 09:54:45
@@ -501,7 +501,7 @@
    /* Skip the IP header, IP options, SPI, SN and IV and minus Auth Data*/
    plen = m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof (u_int32_t) -
          xd->edx_ivlen - alen;
-    if (plen & (blks - 1))
+    if ((plen & (blks - 1)) || (plen <= 0))
    {
#ifdef ENCDEBUG
       if (encdebug)
@@ -719,6 +719,16 @@

    if (xd->edx_flags & ESP_NEW_FLAG_OPADDING)
    {
+        if (blk[6] + 2 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen)
+        {
+#ifdef ENCDEBUG
+           if (encdebug)
+             printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */
+           espstat.esps_badilen++;
+           m_freem(m);
+           return NULL;
+       }
        if ((blk[6] != blk[5]) && (blk[6] != 0))
       {
           if (encdebug)
@@ -731,6 +741,16 @@
    }
    else
    {
+        if (blk[6] + 1 + alen > m->m_pkthdr.len - (ip->ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen)
+        {
+#ifdef ENCDEBUG
+           if (encdebug)
+             printf("esp_new_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */
+           espstat.esps_badilen++;
+           m_freem(m);
+           return NULL;
+       }
       if (blk[6] == 0)
       {
           if (encdebug)
Index: src/sys/netinet/ip_esp_old.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp_old.c,v
retrieving revision 1.9
diff -u -r1.9 ip_esp_old.c
--- ip_esp_old.c        1997/10/02 02:31:05     1.9
+++ ip_esp_old.c        1998/05/05 09:54:45
@@ -326,7 +326,7 @@
    /* Skip the IP header, IP options, SPI and IV */
    plen = m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) -
          xd->edx_ivlen;
-    if (plen & (blks - 1))
+    if ((plen & (blks - 1)) || (plen <= 0))
    {
#ifdef ENCDEBUG
       if (encdebug)
@@ -454,6 +454,18 @@
     * We cannot verify the decryption here (as in ip_esp_new.c), since
     * the padding may be random.
     */
+
+    if (blk[6] + 2 > m->m_pkthdr.len - (ip->ip_hl << 2) - sizeof(u_int32_t) -
+       xd->edx_ivlen)
+    {
+#ifdef ENCDEBUG
+        if (encdebug)
+         printf("esp_old_input(): invalid padding length %d for packet from %x to %x, SA %x/%08x\n", blk[6], ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+#endif /* ENCDEBUG */
+       espstat.esps_badilen++;
+       m_freem(m);
+       return NULL;
+    }

    m_adj(m, -blk[6] - 2);
    m_adj(m, 4 + xd->edx_ivlen);

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.