Date: Tue, 4 Apr 2017 13:41:50 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r316490 - head/sys/netipsec Message-ID: <201704041341.v34Dfol0097448@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Tue Apr 4 13:41:50 2017 New Revision: 316490 URL: https://svnweb.freebsd.org/changeset/base/316490 Log: When we are doing SA lookup for TCP-MD5, check both source and destination addresses. Previous code has used only destination address for lookup. But for inbound packets the source address was used as SA destination address. Thus only outbound SA were used for both directions. Now we use addresses from a packet as is, thus SAs for both directions are needed. Reported by: Mike Tancsa MFC after: 1 week Modified: head/sys/netipsec/key.c Modified: head/sys/netipsec/key.c ============================================================================== --- head/sys/netipsec/key.c Tue Apr 4 13:34:19 2017 (r316489) +++ head/sys/netipsec/key.c Tue Apr 4 13:41:50 2017 (r316490) @@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *sa kdebug_secash(sah, " ")); if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && + !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) break; } if (sah != NULL) { @@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *sai LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && + !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) break; } if (sah != NULL) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704041341.v34Dfol0097448>