From 4aaabb881aeb80f34df75a9a889d6ebf15dbd7ac Mon Sep 17 00:00:00 2001 From: zec Date: Tue, 1 Jul 2014 08:02:25 +0000 Subject: The assumption in ipsec4_process_packet() that the payload may be only IPv4 is wrong, so check the IP version before mangling the payload header. --- sys/netipsec/ipsec_output.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'sys/netipsec') diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 3e83175..8566bb4 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -498,9 +498,11 @@ ipsec4_process_packet( goto bad; } ip = mtod(m, struct ip *); - ip->ip_len = htons(m->m_pkthdr.len); - ip->ip_sum = 0; - ip->ip_sum = in_cksum(m, ip->ip_hl << 2); + if (ip->ip_v == IPVERSION) { + ip->ip_len = htons(m->m_pkthdr.len); + ip->ip_sum = 0; + ip->ip_sum = in_cksum(m, ip->ip_hl << 2); + } /* Encapsulate the packet */ error = ipip_output(m, isr, &mp, 0, 0); -- cgit v1.1