aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec/xform_esp.c
diff options
context:
space:
mode:
authorAndrey V. Elsukov <ae@FreeBSD.org>2019-11-27 10:24:46 +0000
committerAndrey V. Elsukov <ae@FreeBSD.org>2019-11-27 10:24:46 +0000
commit3f44ee8e998d823ac406c8130bac850452c7efe7 (patch)
tree60adc733d380cef6a8560d4c92f99b41004ee68e /sys/netipsec/xform_esp.c
parent18613136231d526d7bd47fc0274b6a0d3fecf5ab (diff)
downloadsrc-3f44ee8e998d823ac406c8130bac850452c7efe7.tar.gz
src-3f44ee8e998d823ac406c8130bac850452c7efe7.zip
Add support for dummy ESP packets with next header field equal to
IPPROTO_NONE. According to RFC4303 2.6 they should be silently dropped. Submitted by: aurelien.cazuc.external_stormshield.eu MFC after: 10 days Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D22557
Notes
Notes: svn path=/head/; revision=355129
Diffstat (limited to 'sys/netipsec/xform_esp.c')
-rw-r--r--sys/netipsec/xform_esp.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 3b5394243c8b..918d98b6af22 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -614,6 +614,13 @@ esp_input_cb(struct cryptop *crp)
}
}
+ /*
+ * RFC4303 2.6:
+ * Silently drop packet if next header field is IPPROTO_NONE.
+ */
+ if (lastthree[2] == IPPROTO_NONE)
+ goto bad;
+
/* Trim the mbuf chain to remove trailing authenticator and padding */
m_adj(m, -(lastthree[1] + 2));
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-18 05:55:41 +0000