diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:37:58 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:54:29 -0500 |
commit | 35579e99c39d480d190f0e29606710433c0d3bf0 (patch) | |
tree | 9553b514373292e4666e14b906e1dcb4a079812b /sys/netinet/ip_input.c | |
parent | 3c0d181698b9de090cab91e9774478734903f554 (diff) | |
download | FreeBSD-src-35579e99c39d480d190f0e29606710433c0d3bf0.zip FreeBSD-src-35579e99c39d480d190f0e29606710433c0d3bf0.tar.gz |
MFC r275703:
Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.
Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r-- | sys/netinet/ip_input.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 50334c3..ad1e7eb 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -724,7 +724,7 @@ ours: * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if (ip_ipsec_input(m)) + if (ip_ipsec_input(m, ip->ip_p) != 0) goto bad; #endif /* IPSEC */ |