Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 8 Dec 2019 15:24:04 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r355529 - stable/11/sys/netipsec
Message-ID:  <201912081524.xB8FO4qA006329@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ae
Date: Sun Dec  8 15:24:03 2019
New Revision: 355529
URL: https://svnweb.freebsd.org/changeset/base/355529

Log:
  MFC r355129:
    Add support for dummy ESP packets with next header field equal to
    IPPROTO_NONE.
  
    According to RFC4303 2.6 they should be silently dropped.
  
    Submitted by:	aurelien.cazuc.external_stormshield.eu
    Sponsored by:	Stormshield
    Differential Revision:	https://reviews.freebsd.org/D22557

Modified:
  stable/11/sys/netipsec/xform_esp.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netipsec/xform_esp.c
==============================================================================
--- stable/11/sys/netipsec/xform_esp.c	Sun Dec  8 15:22:20 2019	(r355528)
+++ stable/11/sys/netipsec/xform_esp.c	Sun Dec  8 15:24:03 2019	(r355529)
@@ -607,6 +607,13 @@ esp_input_cb(struct cryptop *crp)
 		}
 	}
 
+	/*
+	 * RFC4303 2.6:
+	 * Silently drop packet if next header field is IPPROTO_NONE.
+	 */
+	if (lastthree[2] == IPPROTO_NONE)
+		goto bad;
+
 	/* Trim the mbuf chain to remove trailing authenticator and padding */
 	m_adj(m, -(lastthree[1] + 2));
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201912081524.xB8FO4qA006329>