kern/94273: IPIP decapsulation problem in FAST_IPSEC stack

[VANHULLEBUS Yvan]

>Number:         94273
>Category:       kern
>Synopsis:       IPIP decapsulation problem in FAST_IPSEC stack
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 09 14:40:13 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     VANHULLEBUS Yvan
>Release:        FreeBSD 6.0-STABLE
>Organization:
NETASQ
>Environment:
System: FreeBSD yvan.netasq.int 6.0-STABLE FreeBSD 6.0-STABLE #6:  Tue Dec  6 19:20:56 CET 2005 root at yvan.netasq.int:/usr/src/sys/compile/vanhu i386
>Description:
FAST_IPSEC doesn't correctly remove the IPIP header for Tunneled packets.

It works (guess by accident), because the IPIP header is removed when
the packet is reinjected in ip_input.c, but that implies an extra call
to ip_input.

There is some code to remove the IPIP header in ipsec_input.c, but it
doesn't correctly work.


>How-To-Repeat:
Set up a tunnel mode IPSec conf, and looks what happens in ip_input....


>Fix:
--- netipsec/ipsec_input.c.orig	Thu Mar  9 15:00:26 2006
+++ netipsec/ipsec_input.c	Thu Mar  9 15:01:15 2006
@@ -323,8 +323,6 @@ ipsec4_common_input_cb(struct mbuf *m, s
 
 	/* IP-in-IP encapsulation */
 	if (prot == IPPROTO_IPIP) {
-		struct ip ipn;
-
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
 			IPSEC_ISTAT(sproto, espstat.esps_hdrops,
 			    ahstat.ahs_hdrops,
@@ -332,9 +330,8 @@ ipsec4_common_input_cb(struct mbuf *m, s
 			error = EINVAL;
 			goto bad;
 		}
-		/* ipn will now contain the inner IPv4 header */
-		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip),
-		    (caddr_t) &ipn);
+		/* remove the outer IPv4 header */
+		m_striphdr(m, 0, ip->ip_hl << 2);
 
 #ifdef notyet
 		/* XXX PROXY address isn't recorded in SAH */
>Release-Note:
>Audit-Trail:
>Unformatted: