CVE-2008-0177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0177): The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME project before 20071201 does not properly check the return value of the m_pulldown function, which allows remote attackers to cause a denial of service (system crash) via an IPv6 packet with an IPComp header.
Seems like some BSDs are vulnerable to this.
Is there anything to do here? BSD herd, please advise.
seems we're fine: # grep -C 3 m_pulldown /usr/src/sys/netinet6/ipcomp_input.c goto fail; } md = m_pulldown(m, off, sizeof(*ipcomp), NULL); if (!md) { m = NULL; /* already freed */ ipseclog((LOG_DEBUG, "IPv4 IPComp input: assumption failed " -- m = *mp; off = *offp; md = m_pulldown(m, off, sizeof(*ipcomp), NULL); if (!md) { m = NULL; /* already freed */ ipseclog((LOG_DEBUG, "IPv6 IPComp input: assumption failed " and: http://security.freebsd.org/advisories/FreeBSD-SA-08:04.ipsec.asc which refers to: http://security.freebsd.org/patches/SA-08:04/ipsec.patch Index: sys/netinet6/ipcomp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/Attic/ipcomp_input.c,v retrieving revision 1.7.4.1 diff -u -r1.7.4.1 ipcomp_input.c --- sys/netinet6/ipcomp_input.c 31 Jan 2005 23:26:39 -0000 1.7.4.1 +++ sys/netinet6/ipcomp_input.c 13 Feb 2008 13:44:24 -0000 @@ -258,7 +258,7 @@ off = *offp; md = m_pulldown(m, off, sizeof(*ipcomp), NULL); - if (!m) { + if (!md) { m = NULL; /* already freed */ ipseclog((LOG_DEBUG, "IPv6 IPComp input: assumption failed " "(pulldown failure)\n")); Corrected: 2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE) 2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19) CVE Name: CVE-2008-0177 so that's only freebsd 5 :)
ok, so closing as INVALID. Feel free to reopen if I missed something.
