On Mon, Jan 02, 2017 at 09:53:14AM +0100, Martin Pieuchot wrote:
> This is still an issue, multiple diffs are floating around, could we
> commit a fix?
The only real bug is the length check. Unfortunaltely it will not
fix naddy's setup. I noone objects, I will commit this as it makes
the behavior independent from the mbuf layout.
ok?
I think we should make it possible to exclude neigbor discovery
packets from a transparent IPsec flow. If I understand ipsec.conf(5)
correctly, it is currently only possible to exclude all icmp6
packets. This is bad as the icmp6 packet may contain confidential
data in the quoted packet.
naddy: How do you work around this problem currently in your setup?
bluhm
Index: netinet6/nd6_nbr.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/nd6_nbr.c,v
retrieving revision 1.113
diff -u -p -r1.113 nd6_nbr.c
--- netinet6/nd6_nbr.c 22 Dec 2016 13:39:32 -0000 1.113
+++ netinet6/nd6_nbr.c 2 Jan 2017 14:40:28 -0000
@@ -453,8 +453,7 @@ nd6_ns_output(struct ifnet *ifp, struct
if (ln && ln->ln_hold) {
hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
- /* XXX pullup? */
- if (sizeof(*hip6) < ln->ln_hold->m_len)
+ if (sizeof(*hip6) <= ln->ln_hold->m_len)
saddr6 = &hip6->ip6_src;
else
saddr6 = NULL;
