untrusted comment: signature from openbsd 6.3 base secret key

untrusted comment: signature from openbsd 6.3 base secret key
RWRxzbLwAd76ZfofFPZGauSQde78SAk+Vza0Tlpk0bOZ5ZF5xF0q6Sl0YT2bjtxeylzScoE/sLa1u/sROKNom4txnBM3jKBT2gk=

OpenBSD 6.3 errata 006, May 8, 2018:

Incorrect handling of fragmented IPsec packets could result in a
system crash.

Apply by doing:
signify -Vep /etc/signify/openbsd-63-base.pub -x 006_ipseclen.patch.sig \
-m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
KK=`sysctl -n kern.osversion | cut -d# -f1`
cd /usr/src/sys/arch/`machine`/compile/$KK
make obj
make config
make
make install

Index: sys/netinet/ip_ah.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ah.c,v
retrieving revision 1.138
diff -u -p -r1.138 ip_ah.c
--- sys/netinet/ip_ah.c 14 Mar 2018 22:38:46 -0000 1.138
+++ sys/netinet/ip_ah.c 2 May 2018 20:34:55 -0000
@@ -855,10 +855,16 @@ ah_input_cb(struct cryptop *crp)
* the mbuf.
*/
m_adj(m1, rplen + ahx->authsize);
- if (!(m1->m_flags & M_PKTHDR))
+ /*
+ * If m1 is the first mbuf, it has set M_PKTHDR and m_adj()
+ * has already adjusted the packet header length for us.
+ */
+ if (m1 != m)
m->m_pkthdr.len -= rplen + ahx->authsize;
} else
if (roff + rplen + ahx->authsize >= m1->m_len) {
+ int adjlen;
+
/*
* Part or all of the AH header is at the end
* of this mbuf, so first let's remove the
@@ -867,16 +873,16 @@ ah_input_cb(struct cryptop *crp)
* chain, if any.
*/
if (roff + rplen + ahx->authsize > m1->m_len) {
+ adjlen = roff + rplen + ahx->authsize -
+ m1->m_len;
/* Adjust the next mbuf by the remainder. */
- m_adj(m1->m_next, roff + rplen +
- ahx->authsize - m1->m_len);
+ m_adj(m1->m_next, adjlen);

/*
* The second mbuf is guaranteed not
* to have a pkthdr...
*/
- m->m_pkthdr.len -=
- (roff + rplen + ahx->authsize - m1->m_len);
+ m->m_pkthdr.len -= adjlen;
}

/* Now, let's unlink the mbuf chain for a second... */
@@ -887,9 +893,14 @@ ah_input_cb(struct cryptop *crp)
* ...and trim the end of the first part of
* the chain...sick
*/
- m_adj(m1, -(m1->m_len - roff));
- if (!(m1->m_flags & M_PKTHDR))
- m->m_pkthdr.len -= (m1->m_len - roff);
+ adjlen = m1->m_len - roff;
+ m_adj(m1, -adjlen);
+ /*
+ * If m1 is the first mbuf, it has set M_PKTHDR and
+ * m_adj() has already adjusted the packet header len.
+ */
+ if (m1 != m)
+ m->m_pkthdr.len -= adjlen;

/* Finally, let's relink. */
m1->m_next = m0;
Index: sys/netinet/ip_esp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp.c,v
retrieving revision 1.152
diff -u -p -r1.152 ip_esp.c
--- sys/netinet/ip_esp.c 8 Nov 2017 16:29:20 -0000 1.152
+++ sys/netinet/ip_esp.c 2 May 2018 20:34:55 -0000
@@ -673,20 +673,28 @@ esp_input_cb(struct cryptop *crp)
if (roff == 0) {
/* The ESP header was conveniently at the beginning of the mbuf */
m_adj(m1, hlen);
- if (!(m1->m_flags & M_PKTHDR))
+ /*
+ * If m1 is the first mbuf, it has set M_PKTHDR and m_adj()
+ * has already adjusted the packet header length for us.
+ */
+ if (m1 != m)
m->m_pkthdr.len -= hlen;
} else if (roff + hlen >= m1->m_len) {
+ int adjlen;
+
/*
* Part or all of the ESP header is at the end of this mbuf, so
* first let's remove the remainder of the ESP header from the
* beginning of the remainder of the mbuf chain, if any.
*/
if (roff + hlen > m1->m_len) {
+ adjlen = roff + hlen - m1->m_len;
+
/* Adjust the next mbuf by the remainder */
- m_adj(m1->m_next, roff + hlen - m1->m_len);
+ m_adj(m1->m_next, adjlen);

/* The second mbuf is guaranteed not to have a pkthdr */
- m->m_pkthdr.len -= (roff + hlen - m1->m_len);
+ m->m_pkthdr.len -= adjlen;
}

/* Now, let's unlink the mbuf chain for a second...*/
@@ -694,9 +702,14 @@ esp_input_cb(struct cryptop *crp)
m1->m_next = NULL;

/* ...and trim the end of the first part of the chain...sick */
- m_adj(m1, -(m1->m_len - roff));
- if (!(m1->m_flags & M_PKTHDR))
- m->m_pkthdr.len -= (m1->m_len - roff);
+ adjlen = m1->m_len - roff;
+ m_adj(m1, -adjlen);
+ /*
+ * If m1 is the first mbuf, it has set M_PKTHDR and m_adj()
+ * has already adjusted the packet header length for us.
+ */
+ if (m1 != m)
+ m->m_pkthdr.len -= adjlen;

/* Finally, let's relink */
m1->m_next = mo;
Index: sys/netinet/ip_ipcomp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipcomp.c,v
retrieving revision 1.59
diff -u -p -r1.59 ip_ipcomp.c
--- sys/netinet/ip_ipcomp.c 8 Nov 2017 16:29:20 -0000 1.59
+++ sys/netinet/ip_ipcomp.c 2 May 2018 20:34:55 -0000
@@ -290,27 +290,40 @@ ipcomp_input_cb(struct cryptop *crp)
if (roff == 0) {
/* The IPCOMP header is at the beginning of m1 */
m_adj(m1, hlen);
- if (!(m1->m_flags & M_PKTHDR))
+ /*
+ * If m1 is the first mbuf, it has set M_PKTHDR and m_adj()
+ * has already adjusted the packet header length for us.
+ */
+ if (m1 != m)
m->m_pkthdr.len -= hlen;
} else if (roff + hlen >= m1->m_len) {
+ int adjlen;
+
if (roff + hlen > m1->m_len) {
+ adjlen = roff + hlen - m1->m_len;
+
/* Adjust the next mbuf by the remainder */
- m_adj(m1->m_next, roff + hlen - m1->m_len);
+ m_adj(m1->m_next, adjlen);

/*
* The second mbuf is guaranteed not to have a
* pkthdr...
*/
- m->m_pkthdr.len -= (roff + hlen - m1->m_len);
+ m->m_pkthdr.len -= adjlen;
}
/* Now, let's unlink the mbuf chain for a second... */
mo = m1->m_next;
m1->m_next = NULL;

/* ...and trim the end of the first part of the chain...sick */
- m_adj(m1, -(m1->m_len - roff));
- if (!(m1->m_flags & M_PKTHDR))
- m->m_pkthdr.len -= (m1->m_len - roff);
+ adjlen = m1->m_len - roff;
+ m_adj(m1, -adjlen);
+ /*
+ * If m1 is the first mbuf, it has set M_PKTHDR and m_adj()
+ * has already adjusted the packet header length for us.
+ */
+ if (m1 != m)
+ m->m_pkthdr.len -= adjlen;

/* Finally, let's relink */
m1->m_next = mo;