git: 863871d369f8 - main - ipsec: Improve validation of PMTU
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 27 Jul 2022 14:14:40 UTC
The branch main has been updated by kd:
URL: https://cgit.FreeBSD.org/src/commit/?id=863871d369f8deb687aafa26599d93a6ef7c5e41
commit 863871d369f8deb687aafa26599d93a6ef7c5e41
Author: Kornel Dulęba <kd@FreeBSD.org>
AuthorDate: 2022-07-27 14:12:34 +0000
Commit: Kornel Dulęba <kd@FreeBSD.org>
CommitDate: 2022-07-27 14:12:34 +0000
ipsec: Improve validation of PMTU
Currently there is no upper bound on the PMTU value that is accepted.
Update hostcache only if the new pmtu is smaller than the current entry
and the link MTU.
Approved by: mw(mentor)
Sponsored by: Stormshield
Obtained from: Semihalf
Differential Revision: https://reviews.freebsd.org/D35872
---
sys/netipsec/ipsec_input.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index ce8f1f02b8be..268d8a797c35 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -276,6 +276,7 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v)
struct icmp *icp;
struct ip *ip = v;
uint32_t pmtu, spi;
+ uint32_t max_pmtu;
uint8_t proto;
if (code != PRC_MSGSIZE || ip == NULL)
@@ -304,7 +305,15 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v)
memset(&inc, 0, sizeof(inc));
inc.inc_faddr = satosin(sa)->sin_addr;
- tcp_hc_updatemtu(&inc, pmtu);
+
+ /* Update pmtu only if its smaller than the current one. */
+ max_pmtu = tcp_hc_getmtu(&inc);
+ if (max_pmtu == 0)
+ max_pmtu = tcp_maxmtu(&inc, NULL);
+
+ if (pmtu < max_pmtu)
+ tcp_hc_updatemtu(&inc, pmtu);
+
return (0);
}