Author: ae
Date: Sun Dec 8 15:24:03 2019
New Revision: 355529
URL: https://svnweb.freebsd.org/changeset/base/355529
Log:
MFC r355129:
Add support for dummy ESP packets with next header field equal to
IPPROTO_NONE.
According to RFC4303 2.6 they should be silently dropped.
Submitted by: aurelien.cazuc.external_stormshield.eu
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D22557
Modified:
stable/11/sys/netipsec/xform_esp.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netipsec/xform_esp.c
==============================================================================
--- stable/11/sys/netipsec/xform_esp.c Sun Dec 8 15:22:20 2019
(r355528)
+++ stable/11/sys/netipsec/xform_esp.c Sun Dec 8 15:24:03 2019
(r355529)
@@ -607,6 +607,13 @@ esp_input_cb(struct cryptop *crp)
}
}
+ /*
+ * RFC4303 2.6:
+ * Silently drop packet if next header field is IPPROTO_NONE.
+ */
+ if (lastthree[2] == IPPROTO_NONE)
+ goto bad;
+
/* Trim the mbuf chain to remove trailing authenticator and padding */
m_adj(m, -(lastthree[1] + 2));
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
