OpenBSD: kernel heap overflow in IPsec
Posted by Joe Shakespeare   
OpenBSD On systems running isakmpd(8) it is possible for a local user to cause kernel memory corruption and system panic by setting ipsec(4) credentials on a socket. Stopping isakmpd(8) does not prevent the memory corruption.

On systems running isakmpd(8) it is possible for a local user to
cause kernel memory corruption and system panic by setting ipsec(4)
credentials on a socket.  Stopping isakmpd(8) does not prevent the
memory corruption.

This has been fixed in OpenBSD-current, and the OpenBSD 3.6, 3.5,
and 3.4 -stable branches.  Patches are also available for OpenBSD
3.6, 3.5 and 3.4:

    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.6/common/007_pfkey.patch
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.5/common/024_pfkey.patch
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/035_pfkey.patch

Thanks to Stefan Miltchev for reporting the problem.

-markus