diff options
author | gnn <gnn@FreeBSD.org> | 2007-09-12 05:54:53 +0000 |
---|---|---|
committer | gnn <gnn@FreeBSD.org> | 2007-09-12 05:54:53 +0000 |
commit | a2ad10dc879940266a904337d417adf37a381444 (patch) | |
tree | eeb6c82b4855896350a2378359e2a89ede864975 /sys/netipsec | |
parent | 552004c58fe4309739533ab8f639bfb573b5b073 (diff) | |
download | FreeBSD-src-a2ad10dc879940266a904337d417adf37a381444.zip FreeBSD-src-a2ad10dc879940266a904337d417adf37a381444.tar.gz |
Fix for an infinite loop in processing ESP, IPv6 packets.
The control input routine passes a NULL as its void argument when it
has reached the innermost header, which terminates the loop.
Reported by: Pawel Worach <pawel.worach@gmail.com>
Approved by: re
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ipsec_input.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 0e35a37..cea8aff 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -761,6 +761,11 @@ bad: void esp6_ctlinput(int cmd, struct sockaddr *sa, void *d) { + struct ip6ctlparam *ip6cp = NULL; + struct mbuf *m = NULL; + struct ip6_hdr *ip6; + int off; + if (sa->sa_family != AF_INET6 || sa->sa_len != sizeof(struct sockaddr_in6)) return; @@ -768,10 +773,18 @@ esp6_ctlinput(int cmd, struct sockaddr *sa, void *d) return; /* if the parameter is from icmp6, decode it. */ - if (d != NULL) { - struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d; - struct mbuf *m = ip6cp->ip6c_m; - int off = ip6cp->ip6c_off; + if (d != NULL) { + ip6cp = (struct ip6ctlparam *)d; + m = ip6cp->ip6c_m; + ip6 = ip6cp->ip6c_ip6; + off = ip6cp->ip6c_off; + } else { + m = NULL; + ip6 = NULL; + off = 0; /* calm gcc */ + } + + if (ip6 != NULL) { struct ip6ctlparam ip6cp1; |