From 35579e99c39d480d190f0e29606710433c0d3bf0 Mon Sep 17 00:00:00 2001 From: Luiz Otavio O Souza Date: Tue, 15 Sep 2015 14:37:58 -0500 Subject: MFC r275703: Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its security policy. The changed block of code in ip*_ipsec_input() is called when packet has ESP/AH header. Presence of PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that packet was already handled by IPSEC and reinjected in the netisr, and it has another ESP/AH headers (encrypted twice?). Since it was already processed by IPSEC code, the AH/ESP headers was already stripped (and probably outer IP header was stripped too) and security policy from the tdb_ident was applied to those headers. It is incorrect to apply this security policy to current headers. Also make ip_ipsec_input() prototype similar to ip6_ipsec_input(). Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841 --- sys/netinet/ip_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sys/netinet/ip_input.c') diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 50334c3..ad1e7eb 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -724,7 +724,7 @@ ours: * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if (ip_ipsec_input(m)) + if (ip_ipsec_input(m, ip->ip_p) != 0) goto bad; #endif /* IPSEC */ -- cgit v1.1