From nobody@FreeBSD.org  Wed Oct  7 08:25:39 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 61CBE1065670
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 Oct 2009 08:25:39 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 50B338FC19
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 Oct 2009 08:25:39 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n978PcOJ015421
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 7 Oct 2009 08:25:38 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n978PcWF015420;
	Wed, 7 Oct 2009 08:25:38 GMT
	(envelope-from nobody)
Message-Id: <200910070825.n978PcWF015420@www.freebsd.org>
Date: Wed, 7 Oct 2009 08:25:38 GMT
From: Rainer Bredehorn <Bredehorn@gmx.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Wrong lenth of PF_KEY messages in promiscuous mode
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         139387
>Category:       kern
>Synopsis:       [ipsec] Wrong lenth of PF_KEY messages in promiscuous mode
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 07 08:30:01 UTC 2009
>Closed-Date:    
>Last-Modified:  Wed Oct 07 18:01:56 UTC 2009
>Originator:     Rainer Bredehorn
>Release:        FreeBSD 7.1
>Organization:
>Environment:
FreeBSD 7.1-RELEASE
>Description:
File: netipsec/keysock.c
Function: key_sendup0()

--------------
	if (promisc) {
		struct sadb_msg *pmsg;

		M_PREPEND(m, sizeof(struct sadb_msg), M_DONTWAIT);
		if (m && m->m_len < sizeof(struct sadb_msg))
			m = m_pullup(m, sizeof(struct sadb_msg));
		if (!m) {
			pfkeystat.in_nomem++;
			m_freem(m);
			return ENOBUFS;
		}
-------->	m->m_pkthdr.len += sizeof(*pmsg);

		pmsg = mtod(m, struct sadb_msg *);
		bzero(pmsg, sizeof(*pmsg));
		pmsg->sadb_msg_version = PF_KEY_V2;
		pmsg->sadb_msg_type = SADB_X_PROMISC;
		pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
		/* pid and seq? */

		pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
	}
-----------------

This "m->m_pkthdr.len += sizeof(*pmsg);" is not necessary, so sadb_msg_len is always 16 bytes to large.

M_PREPEND already adjusts the length of the mbuf to the correct size.

Best regards, Rainer
>How-To-Repeat:
Switch the kernel PF_KEY to promiscuous mode.
Receive promiscuous mode messages.
>Fix:
Remove the adjustment of the m_buf length ( m->m_pkthdr.len += sizeof(*pmsg); )


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Oct 7 18:00:49 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=139387 
>Unformatted:
