Module Name: src Committed By: maxv Date: Thu Mar 1 06:08:44 UTC 2018
Modified Files: src/sys/netinet: tcp_input.c Log Message: Revert rev1.183 (2003). It was intended as an optimization, but it increases the attack surface: the IPsec policy is not enforced on RST packets when the socket is in the LISTEN state, and an (unauthenticated) attacker could jam the connection between two IPsec hosts by sending RST packets between the client's SYN and ACK packets. Discussed with ozaki-r@. To generate a diff of this commit: cvs rdiff -u -r1.382 -r1.383 src/sys/netinet/tcp_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/tcp_input.c diff -u src/sys/netinet/tcp_input.c:1.382 src/sys/netinet/tcp_input.c:1.383 --- src/sys/netinet/tcp_input.c:1.382 Wed Feb 28 11:23:24 2018 +++ src/sys/netinet/tcp_input.c Thu Mar 1 06:08:43 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_input.c,v 1.382 2018/02/28 11:23:24 maxv Exp $ */ +/* $NetBSD: tcp_input.c,v 1.383 2018/03/01 06:08:43 maxv Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -148,7 +148,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.382 2018/02/28 11:23:24 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.383 2018/03/01 06:08:43 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -1457,15 +1457,11 @@ findpcb: } #if defined(IPSEC) if (ipsec_used) { - if (inp && - (inp->inp_socket->so_options & SO_ACCEPTCONN) == 0 - && ipsec_in_reject(m, inp)) { + if (inp && ipsec_in_reject(m, inp)) { goto drop; } #ifdef INET6 - else if (in6p && - (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0 - && ipsec_in_reject(m, in6p)) { + else if (in6p && ipsec_in_reject(m, in6p)) { goto drop; } #endif @@ -1500,9 +1496,7 @@ findpcb: goto dropwithreset_ratelim; } #if defined(IPSEC) - if (ipsec_used && in6p && - (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0 && - ipsec_in_reject(m, in6p)) { + if (ipsec_used && in6p && ipsec_in_reject(m, in6p)) { goto drop; } #endif /*IPSEC*/ @@ -1769,35 +1763,6 @@ nosave:; } #endif -#if defined(IPSEC) - if (ipsec_used) { - switch (af) { -#ifdef INET - case AF_INET: - /* - * inp can be NULL when receiving an - * IPv4 packet on an IPv4-mapped IPv6 - * address. - */ - KASSERT(inp == NULL || - sotoinpcb(so) == inp); - if (!ipsec_in_reject(m, inp)) - break; - tp = NULL; - goto dropwithreset; -#endif -#ifdef INET6 - case AF_INET6: - KASSERT(sotoin6pcb(so) == in6p); - if (!ipsec_in_reject(m, in6p)) - break; - tp = NULL; - goto dropwithreset; -#endif /*INET6*/ - } - } -#endif /*IPSEC*/ - /* * LISTEN socket received a SYN from itself? This * can't possibly be valid; drop the packet.