Re: [ipsec] bug report: possible memory overwrite for IPv6 IPsec
- From: "Bjoern A. Zeeb" <bzeeb-lists@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 Apr 2008 07:38:17 +0000 (UTC)
On Tue, 8 Apr 2008, blue wrote:
Dear all:
struct secashead defined in keydb.h line 89:
/* Security Association Data Base */
struct secashead {
LIST_ENTRY(secashead) chain;
struct secasindex saidx;
struct secident *idents; /* source identity */
struct secident *identd; /* destination identity */
/* XXX I don't know how to use them. */
u_int8_t state; /* MATURE or DEAD. */
LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
/* SA chain */
/* The first of this list is newer SA */
struct route sa_route; /* route cache */
};
The last field "sa_route" is "struct route", whose space is not enough for IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field could possibly be assigned with an IPv6 address.
My suggestion is to enlarge the field as struct route_in6, which could accommodate both IPv4 and IPv6 address.
Can you please file a PR for this. Thanks.
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- References:
- Prev by Date: Re: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0
- Next by Date: Re: ipfw uid/gid to match listening TCP sockets?
- Previous by thread: [ipsec] bug report: possible memory overwrite for IPv6 IPsec
- Index(es):
Relevant Pages
|
