summaryrefslogtreecommitdiffstats
path: root/sys/netinet/raw_ip.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/raw_ip.c')
-rw-r--r--sys/netinet/raw_ip.c29
1 files changed, 25 insertions, 4 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 4fdcf95..32c909a 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -137,6 +137,15 @@ rip_input(m, off, proto)
continue;
if (last) {
struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
+
+#ifdef IPSEC
+ /* check AH/ESP integrity. */
+ if (n && ipsec4_in_reject_so(n, last->inp_socket)) {
+ m_freem(n);
+ ipsecstat.in_polvio++;
+ /* do not inject data to pcb */
+ } else
+#endif /*IPSEC*/
if (n) {
if (last->inp_flags & INP_CONTROLOPTS ||
last->inp_socket->so_options & SO_TIMESTAMP)
@@ -155,6 +164,15 @@ rip_input(m, off, proto)
}
last = inp;
}
+#ifdef IPSEC
+ /* check AH/ESP integrity. */
+ if (last && ipsec4_in_reject_so(m, last->inp_socket)) {
+ m_freem(m);
+ ipsecstat.in_polvio++;
+ ipstat.ips_delivered--;
+ /* do not inject data to pcb */
+ } else
+#endif /*IPSEC*/
if (last) {
if (last->inp_flags & INP_CONTROLOPTS ||
last->inp_socket->so_options & SO_TIMESTAMP)
@@ -168,9 +186,9 @@ rip_input(m, off, proto)
sorwakeup(last->inp_socket);
} else {
m_freem(m);
- ipstat.ips_noproto++;
- ipstat.ips_delivered--;
- }
+ ipstat.ips_noproto++;
+ ipstat.ips_delivered--;
+ }
}
/*
@@ -232,7 +250,10 @@ rip_output(m, so, dst)
}
#ifdef IPSEC
- ipsec_setsocket(m, so);
+ if (ipsec_setsocket(m, so) != 0) {
+ m_freem(m);
+ return ENOBUFS;
+ }
#endif /*IPSEC*/
return (ip_output(m, inp->inp_options, &inp->inp_route, flags,
OpenPOWER on IntegriCloud