svn commit: r312342 - projects/ipsec/sys/netipsec

[Andrey V. Elsukov]

Author: ae
Date: Tue Jan 17 12:43:55 2017
New Revision: 312342
URL: https://svnweb.freebsd.org/changeset/base/312342

Log:
  RFC2367 doesn't allow update anything but state and lifetimes for SAs in
  MATURE state.
  
  Do not require presence of SADB_EXT_KEY_ENCRYPT and SADB_EXT_KEY_AUTH
  in the general checks for SADB_UPDATE message. They only required for
  MATURE SAs. For LARVAL SAs on the contrary these headers are not allowed.

Modified:
  projects/ipsec/sys/netipsec/key.c

Modified: projects/ipsec/sys/netipsec/key.c
==============================================================================
--- projects/ipsec/sys/netipsec/key.c	Tue Jan 17 10:50:28 2017	(r312341)
+++ projects/ipsec/sys/netipsec/key.c	Tue Jan 17 12:43:55 2017	(r312342)
@@ -4968,12 +4968,6 @@ key_update(struct socket *so, struct mbu
 	if (SADB_CHECKHDR(mhp, SADB_EXT_SA) ||
 	    SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
 	    SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
-	    (mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP && (
-		SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT) ||
-		SADB_CHECKLEN(mhp, SADB_EXT_KEY_ENCRYPT))) ||
-	    (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH && (
-		SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH) ||
-		SADB_CHECKLEN(mhp, SADB_EXT_KEY_AUTH))) ||
 	    (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_HARD) &&
 		!SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT)) ||
 	    (SADB_CHECKHDR(mhp, SADB_EXT_LIFETIME_SOFT) &&
@@ -5053,6 +5047,16 @@ key_update(struct socket *so, struct mbu
 	}
 
 	if (sav->state == SADB_SASTATE_LARVAL) {
+		if ((mhp->msg->sadb_msg_satype == SADB_SATYPE_ESP &&
+		    SADB_CHECKHDR(mhp, SADB_EXT_KEY_ENCRYPT)) ||
+		    (mhp->msg->sadb_msg_satype == SADB_SATYPE_AH &&
+		    SADB_CHECKHDR(mhp, SADB_EXT_KEY_AUTH))) {
+			ipseclog((LOG_DEBUG,
+			    "%s: invalid message: missing required header.\n",
+			    __func__));
+			key_freesav(&sav);
+			return key_senderror(so, m, EINVAL);
+		}
 		/*
 		 * We can set any values except src, dst and SPI.
 		 */