svn commit: r355528 - stable/12/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Sun Dec 8 15:22:21 UTC 2019
Author: ae
Date: Sun Dec 8 15:22:20 2019
New Revision: 355528
URL: https://svnweb.freebsd.org/changeset/base/355528
Log:
MFC r355129:
Add support for dummy ESP packets with next header field equal to
IPPROTO_NONE.
According to RFC4303 2.6 they should be silently dropped.
Submitted by: aurelien.cazuc.external_stormshield.eu
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D22557
Modified:
stable/12/sys/netipsec/xform_esp.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netipsec/xform_esp.c
==============================================================================
--- stable/12/sys/netipsec/xform_esp.c Sun Dec 8 09:44:50 2019 (r355527)
+++ stable/12/sys/netipsec/xform_esp.c Sun Dec 8 15:22:20 2019 (r355528)
@@ -607,6 +607,13 @@ esp_input_cb(struct cryptop *crp)
}
}
+ /*
+ * RFC4303 2.6:
+ * Silently drop packet if next header field is IPPROTO_NONE.
+ */
+ if (lastthree[2] == IPPROTO_NONE)
+ goto bad;
+
/* Trim the mbuf chain to remove trailing authenticator and padding */
m_adj(m, -(lastthree[1] + 2));
More information about the svn-src-stable
mailing list