From nobody@FreeBSD.org  Wed Mar 27 16:44:39 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id 10B82661
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 27 Mar 2013 16:44:39 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 01551D0A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 27 Mar 2013 16:44:39 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r2RGicxm052316
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 27 Mar 2013 16:44:38 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r2RGicLE052315;
	Wed, 27 Mar 2013 16:44:38 GMT
	(envelope-from nobody)
Message-Id: <201303271644.r2RGicLE052315@red.freebsd.org>
Date: Wed, 27 Mar 2013 16:44:38 GMT
From: David Gueluy <david.gueluy@netasq.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Invalid protocol value in ipsec6_common_input_cb
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         177417
>Category:       kern
>Synopsis:       [ip6] Invalid protocol value in ipsec6_common_input_cb
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ae
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 27 16:50:00 UTC 2013
>Closed-Date:    Sat Dec 14 04:28:26 UTC 2013
>Last-Modified:  Sat Dec 14 04:30:02 UTC 2013
>Originator:     David Gueluy
>Release:        8.3
>Organization:
Netasq
>Environment:
FreeBSD 8.3-RELEASE-p6
>Description:
I use an IPv6 IPSEC tunnel and observe that in ipsec6_common_input_cb ( ip6_input.c), the protocol value is invalid.

The problem is that the "prot" variable is not initialized. 
It's an integer and just 1 single byte is copied from the mbuf into this variable.

Prot value will never match  IPPROTO_IPIP or  IPPROTO_IPV6

static int
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
    struct m_tag *mt)
{
        int prot, af, sproto;

        ip6 = mtod(m, struct ip6_hdr *);
        ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));

        /* Save protocol */
        m_copydata(m, protoff, 1, (unsigned char *) &prot);

--> prot = wrong value



>How-To-Repeat:
Mount an IPv6 IPSEC tunnel and check the value
>Fix:
int prot = 0;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-amd64->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Mar 27 23:48:07 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=177417 
State-Changed-From-To: open->patched 
State-Changed-By: ae 
State-Changed-When: Mon Nov 11 13:20:11 UTC 2013 
State-Changed-Why:  
Patched in head/. 


Responsible-Changed-From-To: freebsd-net->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Mon Nov 11 13:20:11 UTC 2013 
Responsible-Changed-Why:  
Take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=177417 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/177417: commit references a PR
Date: Mon, 11 Nov 2013 13:20:03 +0000 (UTC)

 Author: ae
 Date: Mon Nov 11 13:19:55 2013
 New Revision: 257987
 URL: http://svnweb.freebsd.org/changeset/base/257987
 
 Log:
   Initialize prot variable.
   
   PR:		177417
   MFC after:	1 week
 
 Modified:
   head/sys/netipsec/ipsec_input.c
 
 Modified: head/sys/netipsec/ipsec_input.c
 ==============================================================================
 --- head/sys/netipsec/ipsec_input.c	Mon Nov 11 13:06:31 2013	(r257986)
 +++ head/sys/netipsec/ipsec_input.c	Mon Nov 11 13:19:55 2013	(r257987)
 @@ -603,6 +603,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
  	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
  
  	/* Save protocol */
 +	prot = 0;
  	m_copydata(m, protoff, 1, (unsigned char *) &prot);
  
  #ifdef notyet
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: ae 
State-Changed-When: Sat Dec 14 04:27:44 UTC 2013 
State-Changed-Why:  
Merged to stable/8, stable/9 and stable/10. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=177417 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/177417: commit references a PR
Date: Sat, 14 Dec 2013 04:24:40 +0000 (UTC)

 Author: ae
 Date: Sat Dec 14 04:24:32 2013
 New Revision: 259385
 URL: http://svnweb.freebsd.org/changeset/base/259385
 
 Log:
   MFC r257987:
     Initialize prot variable.
   
     PR:		177417
 
 Modified:
   stable/10/sys/netipsec/ipsec_input.c
 Directory Properties:
   stable/10/   (props changed)
 
 Modified: stable/10/sys/netipsec/ipsec_input.c
 ==============================================================================
 --- stable/10/sys/netipsec/ipsec_input.c	Sat Dec 14 04:16:47 2013	(r259384)
 +++ stable/10/sys/netipsec/ipsec_input.c	Sat Dec 14 04:24:32 2013	(r259385)
 @@ -602,6 +602,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
  	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
  
  	/* Save protocol */
 +	prot = 0;
  	m_copydata(m, protoff, 1, (unsigned char *) &prot);
  
  #ifdef notyet
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/177417: commit references a PR
Date: Sat, 14 Dec 2013 04:27:36 +0000 (UTC)

 Author: ae
 Date: Sat Dec 14 04:27:28 2013
 New Revision: 259387
 URL: http://svnweb.freebsd.org/changeset/base/259387
 
 Log:
   MFC r257987:
     Initialize prot variable.
   
     PR:		177417
 
 Modified:
   stable/9/sys/netipsec/ipsec_input.c
 Directory Properties:
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/netipsec/ipsec_input.c
 ==============================================================================
 --- stable/9/sys/netipsec/ipsec_input.c	Sat Dec 14 04:24:50 2013	(r259386)
 +++ stable/9/sys/netipsec/ipsec_input.c	Sat Dec 14 04:27:28 2013	(r259387)
 @@ -602,6 +602,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
  	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
  
  	/* Save protocol */
 +	prot = 0;
  	m_copydata(m, protoff, 1, (unsigned char *) &prot);
  
  #ifdef notyet
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/177417: commit references a PR
Date: Sat, 14 Dec 2013 04:24:58 +0000 (UTC)

 Author: ae
 Date: Sat Dec 14 04:24:50 2013
 New Revision: 259386
 URL: http://svnweb.freebsd.org/changeset/base/259386
 
 Log:
   MFC r257987:
     Initialize prot variable.
   
     PR:		177417
 
 Modified:
   stable/8/sys/netipsec/ipsec_input.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/netipsec/   (props changed)
 
 Modified: stable/8/sys/netipsec/ipsec_input.c
 ==============================================================================
 --- stable/8/sys/netipsec/ipsec_input.c	Sat Dec 14 04:24:32 2013	(r259385)
 +++ stable/8/sys/netipsec/ipsec_input.c	Sat Dec 14 04:24:50 2013	(r259386)
 @@ -615,6 +615,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
  	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
  
  	/* Save protocol */
 +	prot = 0;
  	m_copydata(m, protoff, 1, (unsigned char *) &prot);
  
  #ifdef notyet
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
