diff options
author | zec <zec@FreeBSD.org> | 2014-07-01 08:02:25 +0000 |
---|---|---|
committer | zec <zec@FreeBSD.org> | 2014-07-01 08:02:25 +0000 |
commit | 4aaabb881aeb80f34df75a9a889d6ebf15dbd7ac (patch) | |
tree | 2a563dc8b4c1f444bf57b5dc0698739568f5c4b8 /sys/netipsec/ipsec_output.c | |
parent | ebdbb8771cd798ea14224eb4499d960a2aa18565 (diff) | |
download | FreeBSD-src-4aaabb881aeb80f34df75a9a889d6ebf15dbd7ac.zip FreeBSD-src-4aaabb881aeb80f34df75a9a889d6ebf15dbd7ac.tar.gz |
The assumption in ipsec4_process_packet() that the payload may be
only IPv4 is wrong, so check the IP version before mangling the
payload header.
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
-rw-r--r-- | sys/netipsec/ipsec_output.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 3e83175..8566bb4 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -498,9 +498,11 @@ ipsec4_process_packet( goto bad; } ip = mtod(m, struct ip *); - ip->ip_len = htons(m->m_pkthdr.len); - ip->ip_sum = 0; - ip->ip_sum = in_cksum(m, ip->ip_hl << 2); + if (ip->ip_v == IPVERSION) { + ip->ip_len = htons(m->m_pkthdr.len); + ip->ip_sum = 0; + ip->ip_sum = in_cksum(m, ip->ip_hl << 2); + } /* Encapsulate the packet */ error = ipip_output(m, isr, &mp, 0, 0); |