CVS commit: src/sys/netinet6

Tue, 01 Aug 2017 19:18:50 -0700 

Module Name:    src
Committed By:   ozaki-r
Date:           Wed Aug  2 02:18:17 UTC 2017

Modified Files:
        src/sys/netinet6: icmp6.c

Log Message:
Add missing IPsec policy checks to icmp6_rip6_input

icmp6_rip6_input is quite similar to rip6_input and the same checks exist
in rip6_input.


To generate a diff of this commit:
cvs rdiff -u -r1.212 -r1.213 src/sys/netinet6/icmp6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet6/icmp6.c
diff -u src/sys/netinet6/icmp6.c:1.212 src/sys/netinet6/icmp6.c:1.213
--- src/sys/netinet6/icmp6.c:1.212	Fri Jul  7 00:55:15 2017
+++ src/sys/netinet6/icmp6.c	Wed Aug  2 02:18:17 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: icmp6.c,v 1.212 2017/07/07 00:55:15 knakahara Exp $	*/
+/*	$NetBSD: icmp6.c,v 1.213 2017/08/02 02:18:17 ozaki-r Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.212 2017/07/07 00:55:15 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.213 2017/08/02 02:18:17 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -104,6 +104,9 @@ __KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.
 
 #ifdef IPSEC
 #include <netipsec/ipsec.h>
+#include <netipsec/ipsec_var.h>
+#include <netipsec/ipsec_private.h>
+#include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
 #endif
 
@@ -2005,6 +2008,12 @@ icmp6_rip6_input(struct mbuf **mp, int o
 			continue;
 		if (last) {
 			struct	mbuf *n;
+#ifdef IPSEC
+			/*
+			 * Check AH/ESP integrity
+			 */
+			if (ipsec_used && !ipsec6_in_reject(m, last))
+#endif /* IPSEC */
 			if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
 				if (last->in6p_flags & IN6P_CONTROLOPTS)
 					ip6_savecontrol(last, &opts, ip6, n);
@@ -2023,6 +2032,20 @@ icmp6_rip6_input(struct mbuf **mp, int o
 		}
 		last = in6p;
 	}
+#ifdef IPSEC
+	if (ipsec_used && last && ipsec6_in_reject(m, last)) {
+		m_freem(m);
+		/*
+		 * XXX ipsec6_in_reject update stat if there is an error
+		 * so we just need to update stats by hand in the case of last is
+		 * NULL
+		 */
+		if (!last)
+			IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
+			IP6_STATDEC(IP6_STAT_DELIVERED);
+			/* do not inject data into pcb */
+		} else
+#endif /* IPSEC */
 	if (last) {
 		if (last->in6p_flags & IN6P_CONTROLOPTS)
 			ip6_savecontrol(last, &opts, ip6, m);

Reply via email to