Date: Sun, 8 Dec 2019 15:24:04 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r355529 - stable/11/sys/netipsec Message-ID: <201912081524.xB8FO4qA006329@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Sun Dec 8 15:24:03 2019 New Revision: 355529 URL: https://svnweb.freebsd.org/changeset/base/355529 Log: MFC r355129: Add support for dummy ESP packets with next header field equal to IPPROTO_NONE. According to RFC4303 2.6 they should be silently dropped. Submitted by: aurelien.cazuc.external_stormshield.eu Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D22557 Modified: stable/11/sys/netipsec/xform_esp.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netipsec/xform_esp.c ============================================================================== --- stable/11/sys/netipsec/xform_esp.c Sun Dec 8 15:22:20 2019 (r355528) +++ stable/11/sys/netipsec/xform_esp.c Sun Dec 8 15:24:03 2019 (r355529) @@ -607,6 +607,13 @@ esp_input_cb(struct cryptop *crp) } } + /* + * RFC4303 2.6: + * Silently drop packet if next header field is IPPROTO_NONE. + */ + if (lastthree[2] == IPPROTO_NONE) + goto bad; + /* Trim the mbuf chain to remove trailing authenticator and padding */ m_adj(m, -(lastthree[1] + 2));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201912081524.xB8FO4qA006329>