uncompress a packet with an IPcomp header only once; this prevents

endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy;
it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@;
feedback and ok matthew@, deraadt@, djm@, claudio@

1 files changed, 11 insertions, 2 deletions

diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 1896046d44d..918b78ed837 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_input.c,v 1.101 2011/04/03 15:51:09 henning Exp $	*/
+/*	$OpenBSD: ipsec_input.c,v 1.102 2011/04/06 19:15:34 markus Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -141,6 +141,12 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
 		rip_input(m, skip, sproto);
 		return 0;
 	}
+	if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) {
+		m_freem(m);
+		ipcompstat.ipcomps_pdrops++;
+		DPRINTF(("ipsec_common_input(): repeated decompression\n"));
+		return EINVAL;
+	}
 
 	if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) {
 		m_freem(m);
@@ -570,8 +576,11 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff,
 		/* Check if we had authenticated ESP. */
 		if (tdbp->tdb_authalgxform)
 			m->m_flags |= M_AUTH;
-	} else if (sproto == IPPROTO_AH)
+	} else if (sproto == IPPROTO_AH) {
 		m->m_flags |= M_AUTH | M_AUTH_AH;
+	} else if (sproto == IPPROTO_IPCOMP) {
+		m->m_flags |= M_COMP;
+	}
 
 #if NPF > 0
 	/* Add pf tag if requested. */