On Wed, Aug 16, 2017 at 05:18:09PM +0200, Mike Belopuhov wrote: > Hi, > > In may this year, the condition that would make this break do the > right thing got removed and now if a short packet is sent to an > ipsec-enabled bridge, various things like 'spi' and 'off' are left > uninitialized, but thankfully the gettdb call that follows will > most likely fail when presented with a random spi value. But it's > a nasty bug nevertheless. > > OK?
OK bluhm@ > > diff --git sys/net/if_bridge.c sys/net/if_bridge.c > index 0e048205475..33d4753fd6b 100644 > --- sys/net/if_bridge.c > +++ sys/net/if_bridge.c > @@ -1404,11 +1404,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet > *ifp, > > if (dir == BRIDGE_IN) { > switch (af) { > case AF_INET: > if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) > - break; > + goto skiplookup; > > ip = mtod(m, struct ip *); > proto = ip->ip_p; > off = offsetof(struct ip, ip_p); > > @@ -1425,11 +1425,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet > *ifp, > > break; > #ifdef INET6 > case AF_INET6: > if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) > - break; > + goto skiplookup; > > ip6 = mtod(m, struct ip6_hdr *); > > /* XXX We should chase down the header chain */ > proto = ip6->ip6_nxt;