Pull up following revision(s) (requested by maxv in ticket #1532): sys/netipsec/xform_ah.c: 1.77 via patch sys/netipsec/xform_esp.c: 1.73 via patch sys/netipsec/xform_ipip.c: 1.56-1.57 via patch Reinforce and clarify. -- Add missing NULL check. Normally that's not triggerable remotely, since we are guaranteed that 8 bytes are valid at mbuf+skip. -- Fix use-after-free. There is a path where the mbuf gets pulled up without a proper mtod afterwards: 218 ipo = mtod(m, struct ip *); 281 m = m_pullup(m, hlen); 232 ipo->ip_src.s_addr Found by Mootja. Meanwhile it seems to me that 'ipo' should be set to NULL if the inner packet is IPv6, but I'll revisit that later. -- As I said in my last commit in this file, ipo should be set to NULL; otherwise the 'local address spoofing' check below is always wrong on IPv6.diff -r1.37.6.3 -r1.37.6.4 src/sys/netipsec/xform_ah.c
(snj)
--- src/sys/netipsec/xform_ah.c 2018/02/15 16:50:01 1.37.6.3
+++ src/sys/netipsec/xform_ah.c 2018/03/13 17:18:12 1.37.6.4
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: xform_ah.c,v 1.37.6.3 2018/02/15 16:50:01 martin Exp $ */ | 1 | /* $NetBSD: xform_ah.c,v 1.37.6.4 2018/03/13 17:18:12 snj Exp $ */ | |
2 | /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ | 2 | /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ | |
3 | /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ | 3 | /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ | |
4 | /* | 4 | /* | |
5 | * The authors of this code are John Ioannidis (ji@tla.org), | 5 | * The authors of this code are John Ioannidis (ji@tla.org), | |
6 | * Angelos D. Keromytis (kermit@csd.uch.gr) and | 6 | * Angelos D. Keromytis (kermit@csd.uch.gr) and | |
7 | * Niels Provos (provos@physnet.uni-hamburg.de). | 7 | * Niels Provos (provos@physnet.uni-hamburg.de). | |
8 | * | 8 | * | |
9 | * The original version of this code was written by John Ioannidis | 9 | * The original version of this code was written by John Ioannidis | |
10 | * for BSD/OS in Athens, Greece, in November 1995. | 10 | * for BSD/OS in Athens, Greece, in November 1995. | |
11 | * | 11 | * | |
12 | * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, | 12 | * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, | |
13 | * by Angelos D. Keromytis. | 13 | * by Angelos D. Keromytis. | |
14 | * | 14 | * | |
@@ -29,27 +29,27 @@ | @@ -29,27 +29,27 @@ | |||
29 | * You may use this code under the GNU public license if you so wish. Please | 29 | * You may use this code under the GNU public license if you so wish. Please | |
30 | * contribute changes back to the authors under this freer than GPL license | 30 | * contribute changes back to the authors under this freer than GPL license | |
31 | * so that we may further the use of strong encryption without limitations to | 31 | * so that we may further the use of strong encryption without limitations to | |
32 | * all. | 32 | * all. | |
33 | * | 33 | * | |
34 | * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR | 34 | * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR | |
35 | * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY | 35 | * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY | |
36 | * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE | 36 | * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE | |
37 | * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR | 37 | * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR | |
38 | * PURPOSE. | 38 | * PURPOSE. | |
39 | */ | 39 | */ | |
40 | 40 | |||
41 | #include <sys/cdefs.h> | 41 | #include <sys/cdefs.h> | |
42 | __KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.6.3 2018/02/15 16:50:01 martin Exp $"); | 42 | __KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.6.4 2018/03/13 17:18:12 snj Exp $"); | |
43 | 43 | |||
44 | #include "opt_inet.h" | 44 | #include "opt_inet.h" | |
45 | #ifdef __FreeBSD__ | 45 | #ifdef __FreeBSD__ | |
46 | #include "opt_inet6.h" | 46 | #include "opt_inet6.h" | |
47 | #endif | 47 | #endif | |
48 | 48 | |||
49 | #include <sys/param.h> | 49 | #include <sys/param.h> | |
50 | #include <sys/systm.h> | 50 | #include <sys/systm.h> | |
51 | #include <sys/mbuf.h> | 51 | #include <sys/mbuf.h> | |
52 | #include <sys/socket.h> | 52 | #include <sys/socket.h> | |
53 | #include <sys/syslog.h> | 53 | #include <sys/syslog.h> | |
54 | #include <sys/kernel.h> | 54 | #include <sys/kernel.h> | |
55 | #include <sys/sysctl.h> | 55 | #include <sys/sysctl.h> | |
@@ -488,74 +488,65 @@ ah_massage_headers(struct mbuf **m0, int | @@ -488,74 +488,65 @@ ah_massage_headers(struct mbuf **m0, int | |||
488 | skip - sizeof(struct ip6_hdr), ptr); | 488 | skip - sizeof(struct ip6_hdr), ptr); | |
489 | alloc = 1; | 489 | alloc = 1; | |
490 | } else { | 490 | } else { | |
491 | /* No need to allocate memory. */ | 491 | /* No need to allocate memory. */ | |
492 | ptr = mtod(m, unsigned char *) + | 492 | ptr = mtod(m, unsigned char *) + | |
493 | sizeof(struct ip6_hdr); | 493 | sizeof(struct ip6_hdr); | |
494 | alloc = 0; | 494 | alloc = 0; | |
495 | } | 495 | } | |
496 | } else | 496 | } else | |
497 | break; | 497 | break; | |
498 | 498 | |||
499 | nxt = ip6.ip6_nxt & 0xff; /* Next header type. */ | 499 | nxt = ip6.ip6_nxt & 0xff; /* Next header type. */ | |
500 | 500 | |||
501 | for (off = 0; off < skip - sizeof(struct ip6_hdr);) | 501 | for (off = 0; off < skip - sizeof(struct ip6_hdr);) { | |
502 | int noff; | |||
503 | ||||
502 | switch (nxt) { | 504 | switch (nxt) { | |
503 | case IPPROTO_HOPOPTS: | 505 | case IPPROTO_HOPOPTS: | |
504 | case IPPROTO_DSTOPTS: | 506 | case IPPROTO_DSTOPTS: | |
505 | ip6e = (struct ip6_ext *) (ptr + off); | 507 | ip6e = (struct ip6_ext *)(ptr + off); | |
508 | noff = off + ((ip6e->ip6e_len + 1) << 3); | |||
509 | ||||
510 | /* Sanity check. */ | |||
511 | if (noff > skip - sizeof(struct ip6_hdr)) { | |||
512 | goto error6; | |||
513 | } | |||
506 | 514 | |||
507 | /* | 515 | /* | |
508 | * Process the mutable/immutable | 516 | * Zero out mutable options. | |
509 | * options -- borrows heavily from the | |||
510 | * KAME code. | |||
511 | */ | 517 | */ | |
512 | for (count = off + sizeof(struct ip6_ext); | 518 | for (count = off + sizeof(struct ip6_ext); | |
513 | count < off + ((ip6e->ip6e_len + 1) << 3);) { | 519 | count < noff;) { | |
514 | if (ptr[count] == IP6OPT_PAD1) { | 520 | if (ptr[count] == IP6OPT_PAD1) { | |
515 | count++; | 521 | count++; | |
516 | continue; /* Skip padding. */ | 522 | continue; | |
517 | } | |||
518 | ||||
519 | /* Sanity check. */ | |||
520 | if (count > off + | |||
521 | ((ip6e->ip6e_len + 1) << 3)) { | |||
522 | m_freem(m); | |||
523 | ||||
524 | /* Free, if we allocated. */ | |||
525 | if (alloc) | |||
526 | free(ptr, M_XDATA); | |||
527 | return EINVAL; | |||
528 | } | 523 | } | |
529 | 524 | |||
530 | ad = ptr[count + 1] + 2; | 525 | ad = ptr[count + 1] + 2; | |
531 | 526 | |||
532 | /* If mutable option, zeroize. */ | 527 | if (count + ad > noff) { | |
533 | if (ptr[count] & IP6OPT_MUTABLE) | 528 | goto error6; | |
534 | memcpy(ptr + count, ipseczeroes, | 529 | } | |
535 | ad); | 530 | ||
531 | if (ptr[count] & IP6OPT_MUTABLE) { | |||
532 | memset(ptr + count, 0, ad); | |||
533 | } | |||
536 | 534 | |||
537 | count += ad; | 535 | count += ad; | |
536 | } | |||
538 | 537 | |||
539 | /* Sanity check. */ | 538 | if (count != noff) { | |
540 | if (count > | 539 | goto error6; | |
541 | skip - sizeof(struct ip6_hdr)) { | |||
542 | m_freem(m); | |||
543 | ||||
544 | /* Free, if we allocated. */ | |||
545 | if (alloc) | |||
546 | free(ptr, M_XDATA); | |||
547 | return EINVAL; | |||
548 | } | |||
549 | } | 540 | } | |
550 | 541 | |||
551 | /* Advance. */ | 542 | /* Advance. */ | |
552 | off += ((ip6e->ip6e_len + 1) << 3); | 543 | off += ((ip6e->ip6e_len + 1) << 3); | |
553 | nxt = ip6e->ip6e_nxt; | 544 | nxt = ip6e->ip6e_nxt; | |
554 | break; | 545 | break; | |
555 | 546 | |||
556 | case IPPROTO_ROUTING: | 547 | case IPPROTO_ROUTING: | |
557 | /* | 548 | /* | |
558 | * Always include routing headers in | 549 | * Always include routing headers in | |
559 | * computation. | 550 | * computation. | |
560 | */ | 551 | */ | |
561 | { | 552 | { | |
@@ -593,31 +584,33 @@ ah_massage_headers(struct mbuf **m0, int | @@ -593,31 +584,33 @@ ah_massage_headers(struct mbuf **m0, int | |||
593 | 584 | |||
594 | rh0->ip6r0_segleft = 0; | 585 | rh0->ip6r0_segleft = 0; | |
595 | } | 586 | } | |
596 | 587 | |||
597 | /* advance */ | 588 | /* advance */ | |
598 | off += ((ip6e->ip6e_len + 1) << 3); | 589 | off += ((ip6e->ip6e_len + 1) << 3); | |
599 | nxt = ip6e->ip6e_nxt; | 590 | nxt = ip6e->ip6e_nxt; | |
600 | break; | 591 | break; | |
601 | } | 592 | } | |
602 | 593 | |||
603 | default: | 594 | default: | |
604 | DPRINTF(("ah_massage_headers: unexpected " | 595 | DPRINTF(("ah_massage_headers: unexpected " | |
605 | "IPv6 header type %d", off)); | 596 | "IPv6 header type %d", off)); | |
597 | error6: | |||
606 | if (alloc) | 598 | if (alloc) | |
607 | free(ptr, M_XDATA); | 599 | free(ptr, M_XDATA); | |
608 | m_freem(m); | 600 | m_freem(m); | |
609 | return EINVAL; | 601 | return EINVAL; | |
610 | } | 602 | } | |
603 | } | |||
611 | 604 | |||
612 | /* Copyback and free, if we allocated. */ | 605 | /* Copyback and free, if we allocated. */ | |
613 | if (alloc) { | 606 | if (alloc) { | |
614 | m_copyback(m, sizeof(struct ip6_hdr), | 607 | m_copyback(m, sizeof(struct ip6_hdr), | |
615 | skip - sizeof(struct ip6_hdr), ptr); | 608 | skip - sizeof(struct ip6_hdr), ptr); | |
616 | free(ptr, M_XDATA); | 609 | free(ptr, M_XDATA); | |
617 | } | 610 | } | |
618 | 611 | |||
619 | break; | 612 | break; | |
620 | #endif /* INET6 */ | 613 | #endif /* INET6 */ | |
621 | } | 614 | } | |
622 | 615 | |||
623 | return 0; | 616 | return 0; |
--- src/sys/netipsec/xform_esp.c 2012/01/25 20:31:23 1.40
+++ src/sys/netipsec/xform_esp.c 2018/03/13 17:18:12 1.40.6.1
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $ */ | 1 | /* $NetBSD: xform_esp.c,v 1.40.6.1 2018/03/13 17:18:12 snj Exp $ */ | |
2 | /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ | 2 | /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ | |
3 | /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ | 3 | /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ | |
4 | 4 | |||
5 | /* | 5 | /* | |
6 | * The authors of this code are John Ioannidis (ji@tla.org), | 6 | * The authors of this code are John Ioannidis (ji@tla.org), | |
7 | * Angelos D. Keromytis (kermit@csd.uch.gr) and | 7 | * Angelos D. Keromytis (kermit@csd.uch.gr) and | |
8 | * Niels Provos (provos@physnet.uni-hamburg.de). | 8 | * Niels Provos (provos@physnet.uni-hamburg.de). | |
9 | * | 9 | * | |
10 | * The original version of this code was written by John Ioannidis | 10 | * The original version of this code was written by John Ioannidis | |
11 | * for BSD/OS in Athens, Greece, in November 1995. | 11 | * for BSD/OS in Athens, Greece, in November 1995. | |
12 | * | 12 | * | |
13 | * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, | 13 | * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, | |
14 | * by Angelos D. Keromytis. | 14 | * by Angelos D. Keromytis. | |
@@ -29,27 +29,27 @@ | @@ -29,27 +29,27 @@ | |||
29 | * You may use this code under the GNU public license if you so wish. Please | 29 | * You may use this code under the GNU public license if you so wish. Please | |
30 | * contribute changes back to the authors under this freer than GPL license | 30 | * contribute changes back to the authors under this freer than GPL license | |
31 | * so that we may further the use of strong encryption without limitations to | 31 | * so that we may further the use of strong encryption without limitations to | |
32 | * all. | 32 | * all. | |
33 | * | 33 | * | |
34 | * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR | 34 | * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR | |
35 | * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY | 35 | * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY | |
36 | * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE | 36 | * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE | |
37 | * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR | 37 | * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR | |
38 | * PURPOSE. | 38 | * PURPOSE. | |
39 | */ | 39 | */ | |
40 | 40 | |||
41 | #include <sys/cdefs.h> | 41 | #include <sys/cdefs.h> | |
42 | __KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $"); | 42 | __KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40.6.1 2018/03/13 17:18:12 snj Exp $"); | |
43 | 43 | |||
44 | #include "opt_inet.h" | 44 | #include "opt_inet.h" | |
45 | #ifdef __FreeBSD__ | 45 | #ifdef __FreeBSD__ | |
46 | #include "opt_inet6.h" | 46 | #include "opt_inet6.h" | |
47 | #endif | 47 | #endif | |
48 | 48 | |||
49 | #include <sys/param.h> | 49 | #include <sys/param.h> | |
50 | #include <sys/systm.h> | 50 | #include <sys/systm.h> | |
51 | #include <sys/mbuf.h> | 51 | #include <sys/mbuf.h> | |
52 | #include <sys/socket.h> | 52 | #include <sys/socket.h> | |
53 | #include <sys/syslog.h> | 53 | #include <sys/syslog.h> | |
54 | #include <sys/kernel.h> | 54 | #include <sys/kernel.h> | |
55 | /*#include <sys/random.h>*/ | 55 | /*#include <sys/random.h>*/ | |
@@ -305,26 +305,30 @@ esp_input(struct mbuf *m, const struct s | @@ -305,26 +305,30 @@ esp_input(struct mbuf *m, const struct s | |||
305 | struct cryptop *crp; | 305 | struct cryptop *crp; | |
306 | 306 | |||
307 | IPSEC_SPLASSERT_SOFTNET("esp_input"); | 307 | IPSEC_SPLASSERT_SOFTNET("esp_input"); | |
308 | 308 | |||
309 | IPSEC_ASSERT(sav != NULL, ("esp_input: null SA")); | 309 | IPSEC_ASSERT(sav != NULL, ("esp_input: null SA")); | |
310 | IPSEC_ASSERT(sav->tdb_encalgxform != NULL, | 310 | IPSEC_ASSERT(sav->tdb_encalgxform != NULL, | |
311 | ("esp_input: null encoding xform")); | 311 | ("esp_input: null encoding xform")); | |
312 | IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0, | 312 | IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0, | |
313 | ("esp_input: misaligned packet, skip %u pkt len %u", | 313 | ("esp_input: misaligned packet, skip %u pkt len %u", | |
314 | skip, m->m_pkthdr.len)); | 314 | skip, m->m_pkthdr.len)); | |
315 | 315 | |||
316 | /* XXX don't pullup, just copy header */ | 316 | /* XXX don't pullup, just copy header */ | |
317 | IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); | 317 | IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); | |
318 | if (esp == NULL) { | |||
319 | /* m already freed */ | |||
320 | return EINVAL; | |||
321 | } | |||
318 | 322 | |||
319 | esph = sav->tdb_authalgxform; | 323 | esph = sav->tdb_authalgxform; | |
320 | espx = sav->tdb_encalgxform; | 324 | espx = sav->tdb_encalgxform; | |
321 | 325 | |||
322 | /* Determine the ESP header length */ | 326 | /* Determine the ESP header length */ | |
323 | if (sav->flags & SADB_X_EXT_OLD) | 327 | if (sav->flags & SADB_X_EXT_OLD) | |
324 | hlen = sizeof (struct esp) + sav->ivlen; | 328 | hlen = sizeof (struct esp) + sav->ivlen; | |
325 | else | 329 | else | |
326 | hlen = sizeof (struct newesp) + sav->ivlen; | 330 | hlen = sizeof (struct newesp) + sav->ivlen; | |
327 | /* Authenticator hash size */ | 331 | /* Authenticator hash size */ | |
328 | alen = esph ? esph->authsize : 0; | 332 | alen = esph ? esph->authsize : 0; | |
329 | 333 | |||
330 | /* | 334 | /* |
--- src/sys/netipsec/xform_ipip.c 2018/02/15 14:51:44 1.28.14.1
+++ src/sys/netipsec/xform_ipip.c 2018/03/13 17:18:12 1.28.14.2
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: xform_ipip.c,v 1.28.14.1 2018/02/15 14:51:44 martin Exp $ */ | 1 | /* $NetBSD: xform_ipip.c,v 1.28.14.2 2018/03/13 17:18:12 snj Exp $ */ | |
2 | /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ | 2 | /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ | |
3 | /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ | 3 | /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ | |
4 | 4 | |||
5 | /* | 5 | /* | |
6 | * The authors of this code are John Ioannidis (ji@tla.org), | 6 | * The authors of this code are John Ioannidis (ji@tla.org), | |
7 | * Angelos D. Keromytis (kermit@csd.uch.gr) and | 7 | * Angelos D. Keromytis (kermit@csd.uch.gr) and | |
8 | * Niels Provos (provos@physnet.uni-hamburg.de). | 8 | * Niels Provos (provos@physnet.uni-hamburg.de). | |
9 | * | 9 | * | |
10 | * The original version of this code was written by John Ioannidis | 10 | * The original version of this code was written by John Ioannidis | |
11 | * for BSD/OS in Athens, Greece, in November 1995. | 11 | * for BSD/OS in Athens, Greece, in November 1995. | |
12 | * | 12 | * | |
13 | * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, | 13 | * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, | |
14 | * by Angelos D. Keromytis. | 14 | * by Angelos D. Keromytis. | |
@@ -29,27 +29,27 @@ | @@ -29,27 +29,27 @@ | |||
29 | * You may use this code under the GNU public license if you so wish. Please | 29 | * You may use this code under the GNU public license if you so wish. Please | |
30 | * contribute changes back to the authors under this freer than GPL license | 30 | * contribute changes back to the authors under this freer than GPL license | |
31 | * so that we may further the use of strong encryption without limitations to | 31 | * so that we may further the use of strong encryption without limitations to | |
32 | * all. | 32 | * all. | |
33 | * | 33 | * | |
34 | * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR | 34 | * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR | |
35 | * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY | 35 | * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY | |
36 | * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE | 36 | * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE | |
37 | * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR | 37 | * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR | |
38 | * PURPOSE. | 38 | * PURPOSE. | |
39 | */ | 39 | */ | |
40 | 40 | |||
41 | #include <sys/cdefs.h> | 41 | #include <sys/cdefs.h> | |
42 | __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.14.1 2018/02/15 14:51:44 martin Exp $"); | 42 | __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.14.2 2018/03/13 17:18:12 snj Exp $"); | |
43 | 43 | |||
44 | /* | 44 | /* | |
45 | * IP-inside-IP processing | 45 | * IP-inside-IP processing | |
46 | */ | 46 | */ | |
47 | #include "opt_inet.h" | 47 | #include "opt_inet.h" | |
48 | #ifdef __FreeBSD__ | 48 | #ifdef __FreeBSD__ | |
49 | #include "opt_inet6.h" | 49 | #include "opt_inet6.h" | |
50 | #include "opt_random_ip_id.h" | 50 | #include "opt_random_ip_id.h" | |
51 | #endif /* __FreeBSD__ */ | 51 | #endif /* __FreeBSD__ */ | |
52 | 52 | |||
53 | 53 | |||
54 | #include <sys/param.h> | 54 | #include <sys/param.h> | |
55 | #include <sys/systm.h> | 55 | #include <sys/systm.h> | |
@@ -314,27 +314,28 @@ _ipip_input(struct mbuf *m, int iphlen, | @@ -314,27 +314,28 @@ _ipip_input(struct mbuf *m, int iphlen, | |||
314 | * this is as good as any a position. | 314 | * this is as good as any a position. | |
315 | */ | 315 | */ | |
316 | 316 | |||
317 | /* Some sanity checks in the inner IP header */ | 317 | /* Some sanity checks in the inner IP header */ | |
318 | switch (v >> 4) { | 318 | switch (v >> 4) { | |
319 | #ifdef INET | 319 | #ifdef INET | |
320 | case 4: | 320 | case 4: | |
321 | ipo = mtod(m, struct ip *); | 321 | ipo = mtod(m, struct ip *); | |
322 | ip_ecn_egress(ip4_ipsec_ecn, &otos, &ipo->ip_tos); | 322 | ip_ecn_egress(ip4_ipsec_ecn, &otos, &ipo->ip_tos); | |
323 | break; | 323 | break; | |
324 | #endif /* INET */ | 324 | #endif /* INET */ | |
325 | #ifdef INET6 | 325 | #ifdef INET6 | |
326 | case 6: | 326 | case 6: | |
327 | ip6 = (struct ip6_hdr *) ipo; | 327 | ipo = NULL; | |
328 | ip6 = mtod(m, struct ip6_hdr *); | |||
328 | itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; | 329 | itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; | |
329 | ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos); | 330 | ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos); | |
330 | ip6->ip6_flow &= ~htonl(0xff << 20); | 331 | ip6->ip6_flow &= ~htonl(0xff << 20); | |
331 | ip6->ip6_flow |= htonl((u_int32_t) itos << 20); | 332 | ip6->ip6_flow |= htonl((u_int32_t) itos << 20); | |
332 | break; | 333 | break; | |
333 | #endif | 334 | #endif | |
334 | default: | 335 | default: | |
335 | panic("ipip_input: unknown ip version %u (inner)", v>>4); | 336 | panic("ipip_input: unknown ip version %u (inner)", v>>4); | |
336 | } | 337 | } | |
337 | 338 | |||
338 | /* Check for local address spoofing. */ | 339 | /* Check for local address spoofing. */ | |
339 | if ((m->m_pkthdr.rcvif == NULL || | 340 | if ((m->m_pkthdr.rcvif == NULL || | |
340 | !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && | 341 | !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && |