Add the actual patches to the doc repo. This would help people interested

in actually patching their systems.

Approved by:	so

share/security/patches/SA-18:01/ipsec-10.patch

@@ -0,0 +1,38 @@
+--- sys/netipsec/xform_ah.c.orig
++++ sys/netipsec/xform_ah.c
+@@ -615,6 +615,16 @@
+ 		m_freem(m);
+ 		return EACCES;
+ 	}
++	if (skip + authsize + rplen > m->m_pkthdr.len) {
++		DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
++		    " for packet in SA %s/%08lx\n", __func__,
++		    m->m_pkthdr.len, (u_long) (skip + authsize + rplen),
++		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
++		    (u_long) ntohl(sav->spi)));
++		AHSTAT_INC(ahs_badauthl);
++		error = EACCES;
++		goto bad;
++	}
+ 	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
+ 
+ 	/* Get crypto descriptors. */
+@@ -680,6 +690,9 @@
+ 		/* Zeroize the authenticator on the packet. */
+ 		m_copyback(m, skip + rplen, authsize, ipseczeroes);
+ 
++		/* Save ah_nxt, since ah pointer can become invalid after "massage" */
++		hl = ah->ah_nxt;
++
+ 		/* "Massage" the packet headers for crypto processing. */
+ 		error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
+ 		    skip, ahx->type, 0);
+@@ -704,7 +717,7 @@
+ 	tc->tc_spi = sav->spi;
+ 	tc->tc_dst = sav->sah->saidx.dst;
+ 	tc->tc_proto = sav->sah->saidx.proto;
+-	tc->tc_nxt = ah->ah_nxt;
++	tc->tc_nxt = hl;
+ 	tc->tc_protoff = protoff;
+ 	tc->tc_skip = skip;
+ 	tc->tc_ptr = (caddr_t) mtag; /* Save the mtag we've identified. */

share/security/patches/SA-18:01/ipsec-11.patch

@@ -0,0 +1,38 @@
+--- sys/netipsec/xform_ah.c.orig
++++ sys/netipsec/xform_ah.c
+@@ -598,6 +598,16 @@
+ 		error = EACCES;
+ 		goto bad;
+ 	}
++	if (skip + authsize + rplen > m->m_pkthdr.len) {
++		DPRINTF(("%s: bad mbuf length %u (expecting %lu)"
++		    " for packet in SA %s/%08lx\n", __func__,
++		    m->m_pkthdr.len, (u_long) (skip + authsize + rplen),
++		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
++		    (u_long) ntohl(sav->spi)));
++		AHSTAT_INC(ahs_badauthl);
++		error = EACCES;
++		goto bad;
++	}
+ 	AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
+ 
+ 	/* Get crypto descriptors. */
+@@ -642,6 +652,9 @@
+ 	/* Zeroize the authenticator on the packet. */
+ 	m_copyback(m, skip + rplen, authsize, ipseczeroes);
+ 
++	/* Save ah_nxt, since ah pointer can become invalid after "massage" */
++	hl = ah->ah_nxt;
++
+ 	/* "Massage" the packet headers for crypto processing. */
+ 	error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family,
+ 	    skip, ahx->type, 0);
+@@ -664,7 +677,7 @@
+ 
+ 	/* These are passed as-is to the callback. */
+ 	xd->sav = sav;
+-	xd->nxt = ah->ah_nxt;
++	xd->nxt = hl;
+ 	xd->protoff = protoff;
+ 	xd->skip = skip;
+ 	xd->cryptoid = cryptoid;