CVS commit: src/sys/netinet

Wed, 28 Feb 2018 22:09:06 -0800 

Module Name:    src
Committed By:   maxv
Date:           Thu Mar  1 06:08:44 UTC 2018

Modified Files:
        src/sys/netinet: tcp_input.c

Log Message:
Revert rev1.183 (2003).

It was intended as an optimization, but it increases the attack surface:
the IPsec policy is not enforced on RST packets when the socket is in the
LISTEN state, and an (unauthenticated) attacker could jam the connection
between two IPsec hosts by sending RST packets between the client's SYN
and ACK packets.

Discussed with ozaki-r@.


To generate a diff of this commit:
cvs rdiff -u -r1.382 -r1.383 src/sys/netinet/tcp_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.382 src/sys/netinet/tcp_input.c:1.383
--- src/sys/netinet/tcp_input.c:1.382	Wed Feb 28 11:23:24 2018
+++ src/sys/netinet/tcp_input.c	Thu Mar  1 06:08:43 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.382 2018/02/28 11:23:24 maxv Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.383 2018/03/01 06:08:43 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.382 2018/02/28 11:23:24 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.383 2018/03/01 06:08:43 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1457,15 +1457,11 @@ findpcb:
 		}
 #if defined(IPSEC)
 		if (ipsec_used) {
-			if (inp &&
-			    (inp->inp_socket->so_options & SO_ACCEPTCONN) == 0
-			    && ipsec_in_reject(m, inp)) {
+			if (inp && ipsec_in_reject(m, inp)) {
 				goto drop;
 			}
 #ifdef INET6
-			else if (in6p &&
-			    (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0
-			    && ipsec_in_reject(m, in6p)) {
+			else if (in6p && ipsec_in_reject(m, in6p)) {
 				goto drop;
 			}
 #endif
@@ -1500,9 +1496,7 @@ findpcb:
 			goto dropwithreset_ratelim;
 		}
 #if defined(IPSEC)
-		if (ipsec_used && in6p &&
-		    (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0 &&
-		    ipsec_in_reject(m, in6p)) {
+		if (ipsec_used && in6p && ipsec_in_reject(m, in6p)) {
 			goto drop;
 		}
 #endif /*IPSEC*/
@@ -1769,35 +1763,6 @@ nosave:;
 			}
 #endif
 
-#if defined(IPSEC)
-			if (ipsec_used) {
-				switch (af) {
-#ifdef INET
-				case AF_INET:
-					/*
-					 * inp can be NULL when receiving an
-					 * IPv4 packet on an IPv4-mapped IPv6
-					 * address.
-					 */
-					KASSERT(inp == NULL ||
-					    sotoinpcb(so) == inp);
-					if (!ipsec_in_reject(m, inp))
-						break;
-					tp = NULL;
-					goto dropwithreset;
-#endif
-#ifdef INET6
-				case AF_INET6:
-					KASSERT(sotoin6pcb(so) == in6p);
-					if (!ipsec_in_reject(m, in6p))
-						break;
-					tp = NULL;
-					goto dropwithreset;
-#endif /*INET6*/
-				}
-			}
-#endif /*IPSEC*/
-
 			/*
 			 * LISTEN socket received a SYN from itself? This
 			 * can't possibly be valid; drop the packet.

Reply via email to