svn commit: r316490 - head/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Tue Apr 4 13:41:51 UTC 2017
Author: ae
Date: Tue Apr 4 13:41:50 2017
New Revision: 316490
URL: https://svnweb.freebsd.org/changeset/base/316490
Log:
When we are doing SA lookup for TCP-MD5, check both source and
destination addresses. Previous code has used only destination address
for lookup. But for inbound packets the source address was used as SA
destination address. Thus only outbound SA were used for both directions.
Now we use addresses from a packet as is, thus SAs for both directions are
needed.
Reported by: Mike Tancsa
MFC after: 1 week
Modified:
head/sys/netipsec/key.c
Modified: head/sys/netipsec/key.c
==============================================================================
--- head/sys/netipsec/key.c Tue Apr 4 13:34:19 2017 (r316489)
+++ head/sys/netipsec/key.c Tue Apr 4 13:41:50 2017 (r316490)
@@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *sa
kdebug_secash(sah, " "));
if (sah->saidx.proto != IPPROTO_TCP)
continue;
- if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+ if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+ !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
break;
}
if (sah != NULL) {
@@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *sai
LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
if (sah->saidx.proto != IPPROTO_TCP)
continue;
- if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+ if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+ !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
break;
}
if (sah != NULL) {
More information about the svn-src-all
mailing list