Date: Wed, 27 Jul 2022 14:14:40 GMT From: =?utf-8?Q?Kornel=20Dul=C4=99ba?= <kd@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 863871d369f8 - main - ipsec: Improve validation of PMTU Message-ID: <202207271414.26REEe1n051905@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kd: URL: https://cgit.FreeBSD.org/src/commit/?id=863871d369f8deb687aafa26599d93a6ef7c5e41 commit 863871d369f8deb687aafa26599d93a6ef7c5e41 Author: Kornel Dulęba <kd@FreeBSD.org> AuthorDate: 2022-07-27 14:12:34 +0000 Commit: Kornel Dulęba <kd@FreeBSD.org> CommitDate: 2022-07-27 14:12:34 +0000 ipsec: Improve validation of PMTU Currently there is no upper bound on the PMTU value that is accepted. Update hostcache only if the new pmtu is smaller than the current entry and the link MTU. Approved by: mw(mentor) Sponsored by: Stormshield Obtained from: Semihalf Differential Revision: https://reviews.freebsd.org/D35872 --- sys/netipsec/ipsec_input.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index ce8f1f02b8be..268d8a797c35 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -276,6 +276,7 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v) struct icmp *icp; struct ip *ip = v; uint32_t pmtu, spi; + uint32_t max_pmtu; uint8_t proto; if (code != PRC_MSGSIZE || ip == NULL) @@ -304,7 +305,15 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v) memset(&inc, 0, sizeof(inc)); inc.inc_faddr = satosin(sa)->sin_addr; - tcp_hc_updatemtu(&inc, pmtu); + + /* Update pmtu only if its smaller than the current one. */ + max_pmtu = tcp_hc_getmtu(&inc); + if (max_pmtu == 0) + max_pmtu = tcp_maxmtu(&inc, NULL); + + if (pmtu < max_pmtu) + tcp_hc_updatemtu(&inc, pmtu); + return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202207271414.26REEe1n051905>