svn commit: r355129 - head/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Wed Nov 27 10:24:46 UTC 2019
Author: ae
Date: Wed Nov 27 10:24:46 2019
New Revision: 355129
URL: https://svnweb.freebsd.org/changeset/base/355129
Log:
Add support for dummy ESP packets with next header field equal to
IPPROTO_NONE.
According to RFC4303 2.6 they should be silently dropped.
Submitted by: aurelien.cazuc.external_stormshield.eu
MFC after: 10 days
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D22557
Modified:
head/sys/netipsec/xform_esp.c
Modified: head/sys/netipsec/xform_esp.c
==============================================================================
--- head/sys/netipsec/xform_esp.c Wed Nov 27 07:51:29 2019 (r355128)
+++ head/sys/netipsec/xform_esp.c Wed Nov 27 10:24:46 2019 (r355129)
@@ -614,6 +614,13 @@ esp_input_cb(struct cryptop *crp)
}
}
+ /*
+ * RFC4303 2.6:
+ * Silently drop packet if next header field is IPPROTO_NONE.
+ */
+ if (lastthree[2] == IPPROTO_NONE)
+ goto bad;
+
/* Trim the mbuf chain to remove trailing authenticator and padding */
m_adj(m, -(lastthree[1] + 2));
More information about the svn-src-head
mailing list