aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Heider <me@tobhe.me>2024-12-04 01:13:41 +0000
committerMark Johnston <markj@FreeBSD.org>2024-12-18 14:15:46 +0000
commit11c7eb30cc9b38d199c4686ad00071a678a1fc58 (patch)
tree327cd9b3757f1ad1826eafb15fb4b588ec5779f3
parent6b466bbd6134980985b67a68787e4258c0e49b88 (diff)
pfkey: Fix some checks in kdebug_sadb()
Besides not doing any sufficient check that the length of a parsed message is not bigger than the actual allocated buffer, kdebug_sadb() incorrectly compares ext->sadb_ext_len, the extension payload size in 8 byte chunks, with tlen, which is the full message payload size in bytes. This should compare PFKEY_UNUNIT64(ext->sadb_ext_len) with tlen instead. PR: 277456 MFC after: 2 weeks (cherry picked from commit 0dab21248bc9fab09e92b0c037303c921ebb1b8d)
Diffstat
-rw-r--r--sys/netipsec/key_debug.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c
index ab4def455ac9..ef511f25411c 100644
--- a/sys/netipsec/key_debug.c
+++ b/sys/netipsec/key_debug.c
@@ -189,11 +189,12 @@ kdebug_sadb(struct sadb_msg *base)
ext->sadb_ext_len, ext->sadb_ext_type,
kdebug_sadb_exttype(ext->sadb_ext_type));
- if (ext->sadb_ext_len == 0) {
+ extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
+ if (extlen == 0) {
printf("%s: invalid ext_len=0 was passed.\n", __func__);
return;
}
- if (ext->sadb_ext_len > tlen) {
+ if (extlen > tlen) {
printf("%s: ext_len too big (%u > %u).\n",
__func__, ext->sadb_ext_len, tlen);
return;
@@ -257,7 +258,6 @@ kdebug_sadb(struct sadb_msg *base)
return;
}
- extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
tlen -= extlen;
ext = (struct sadb_ext *)((caddr_t)ext + extlen);
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-18 13:11:23 +0000