Tue Mar 13 17:18:12 2018 UTC ()
Pull up following revision(s) (requested by maxv in ticket #1532):
	sys/netipsec/xform_ah.c: 1.77 via patch
	sys/netipsec/xform_esp.c: 1.73 via patch
	sys/netipsec/xform_ipip.c: 1.56-1.57 via patch
Reinforce and clarify.
--
Add missing NULL check. Normally that's not triggerable remotely, since we
are guaranteed that 8 bytes are valid at mbuf+skip.
--
Fix use-after-free. There is a path where the mbuf gets pulled up without
a proper mtod afterwards:
218     ipo = mtod(m, struct ip *);
281     m = m_pullup(m, hlen);
232     ipo->ip_src.s_addr
Found by Mootja.
Meanwhile it seems to me that 'ipo' should be set to NULL if the inner
packet is IPv6, but I'll revisit that later.
--
As I said in my last commit in this file, ipo should be set to NULL;
otherwise the 'local address spoofing' check below is always wrong on
IPv6.


(snj)
diff -r1.37.6.3 -r1.37.6.4 src/sys/netipsec/xform_ah.c
diff -r1.40 -r1.40.6.1 src/sys/netipsec/xform_esp.c
diff -r1.28.14.1 -r1.28.14.2 src/sys/netipsec/xform_ipip.c
cvs diff -r1.37.6.3 -r1.37.6.4 src/sys/netipsec/xform_ah.c (expand / switch to unified diff)

--- src/sys/netipsec/xform_ah.c 2018/02/15 16:50:01 1.37.6.3
+++ src/sys/netipsec/xform_ah.c 2018/03/13 17:18:12 1.37.6.4
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: xform_ah.c,v 1.37.6.3 2018/02/15 16:50:01 martin Exp $ */ 1/* $NetBSD: xform_ah.c,v 1.37.6.4 2018/03/13 17:18:12 snj Exp $ */
2/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ 2/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
3/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ 3/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
4/* 4/*
5 * The authors of this code are John Ioannidis (ji@tla.org), 5 * The authors of this code are John Ioannidis (ji@tla.org),
6 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Angelos D. Keromytis (kermit@csd.uch.gr) and
7 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * Niels Provos (provos@physnet.uni-hamburg.de).
8 * 8 *
9 * The original version of this code was written by John Ioannidis 9 * The original version of this code was written by John Ioannidis
10 * for BSD/OS in Athens, Greece, in November 1995. 10 * for BSD/OS in Athens, Greece, in November 1995.
11 * 11 *
12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
13 * by Angelos D. Keromytis. 13 * by Angelos D. Keromytis.
14 * 14 *
@@ -29,27 +29,27 @@ @@ -29,27 +29,27 @@
29 * You may use this code under the GNU public license if you so wish. Please 29 * You may use this code under the GNU public license if you so wish. Please
30 * contribute changes back to the authors under this freer than GPL license 30 * contribute changes back to the authors under this freer than GPL license
31 * so that we may further the use of strong encryption without limitations to 31 * so that we may further the use of strong encryption without limitations to
32 * all. 32 * all.
33 * 33 *
34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38 * PURPOSE. 38 * PURPOSE.
39 */ 39 */
40 40
41#include <sys/cdefs.h> 41#include <sys/cdefs.h>
42__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.6.3 2018/02/15 16:50:01 martin Exp $"); 42__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.37.6.4 2018/03/13 17:18:12 snj Exp $");
43 43
44#include "opt_inet.h" 44#include "opt_inet.h"
45#ifdef __FreeBSD__ 45#ifdef __FreeBSD__
46#include "opt_inet6.h" 46#include "opt_inet6.h"
47#endif 47#endif
48 48
49#include <sys/param.h> 49#include <sys/param.h>
50#include <sys/systm.h> 50#include <sys/systm.h>
51#include <sys/mbuf.h> 51#include <sys/mbuf.h>
52#include <sys/socket.h> 52#include <sys/socket.h>
53#include <sys/syslog.h> 53#include <sys/syslog.h>
54#include <sys/kernel.h> 54#include <sys/kernel.h>
55#include <sys/sysctl.h> 55#include <sys/sysctl.h>
@@ -488,74 +488,65 @@ ah_massage_headers(struct mbuf **m0, int @@ -488,74 +488,65 @@ ah_massage_headers(struct mbuf **m0, int
488 skip - sizeof(struct ip6_hdr), ptr); 488 skip - sizeof(struct ip6_hdr), ptr);
489 alloc = 1; 489 alloc = 1;
490 } else { 490 } else {
491 /* No need to allocate memory. */ 491 /* No need to allocate memory. */
492 ptr = mtod(m, unsigned char *) + 492 ptr = mtod(m, unsigned char *) +
493 sizeof(struct ip6_hdr); 493 sizeof(struct ip6_hdr);
494 alloc = 0; 494 alloc = 0;
495 } 495 }
496 } else 496 } else
497 break; 497 break;
498 498
499 nxt = ip6.ip6_nxt & 0xff; /* Next header type. */ 499 nxt = ip6.ip6_nxt & 0xff; /* Next header type. */
500 500
501 for (off = 0; off < skip - sizeof(struct ip6_hdr);) 501 for (off = 0; off < skip - sizeof(struct ip6_hdr);) {
 502 int noff;
 503
502 switch (nxt) { 504 switch (nxt) {
503 case IPPROTO_HOPOPTS: 505 case IPPROTO_HOPOPTS:
504 case IPPROTO_DSTOPTS: 506 case IPPROTO_DSTOPTS:
505 ip6e = (struct ip6_ext *) (ptr + off); 507 ip6e = (struct ip6_ext *)(ptr + off);
 508 noff = off + ((ip6e->ip6e_len + 1) << 3);
 509
 510 /* Sanity check. */
 511 if (noff > skip - sizeof(struct ip6_hdr)) {
 512 goto error6;
 513 }
506 514
507 /* 515 /*
508 * Process the mutable/immutable 516 * Zero out mutable options.
509 * options -- borrows heavily from the 
510 * KAME code. 
511 */ 517 */
512 for (count = off + sizeof(struct ip6_ext); 518 for (count = off + sizeof(struct ip6_ext);
513 count < off + ((ip6e->ip6e_len + 1) << 3);) { 519 count < noff;) {
514 if (ptr[count] == IP6OPT_PAD1) { 520 if (ptr[count] == IP6OPT_PAD1) {
515 count++; 521 count++;
516 continue; /* Skip padding. */ 522 continue;
517 } 
518 
519 /* Sanity check. */ 
520 if (count > off + 
521 ((ip6e->ip6e_len + 1) << 3)) { 
522 m_freem(m); 
523 
524 /* Free, if we allocated. */ 
525 if (alloc) 
526 free(ptr, M_XDATA); 
527 return EINVAL; 
528 } 523 }
529 524
530 ad = ptr[count + 1] + 2; 525 ad = ptr[count + 1] + 2;
531 526
532 /* If mutable option, zeroize. */ 527 if (count + ad > noff) {
533 if (ptr[count] & IP6OPT_MUTABLE) 528 goto error6;
534 memcpy(ptr + count, ipseczeroes, 529 }
535 ad); 530
 531 if (ptr[count] & IP6OPT_MUTABLE) {
 532 memset(ptr + count, 0, ad);
 533 }
536 534
537 count += ad; 535 count += ad;
 536 }
538 537
539 /* Sanity check. */ 538 if (count != noff) {
540 if (count > 539 goto error6;
541 skip - sizeof(struct ip6_hdr)) { 
542 m_freem(m); 
543 
544 /* Free, if we allocated. */ 
545 if (alloc) 
546 free(ptr, M_XDATA); 
547 return EINVAL; 
548 } 
549 } 540 }
550 541
551 /* Advance. */ 542 /* Advance. */
552 off += ((ip6e->ip6e_len + 1) << 3); 543 off += ((ip6e->ip6e_len + 1) << 3);
553 nxt = ip6e->ip6e_nxt; 544 nxt = ip6e->ip6e_nxt;
554 break; 545 break;
555 546
556 case IPPROTO_ROUTING: 547 case IPPROTO_ROUTING:
557 /* 548 /*
558 * Always include routing headers in 549 * Always include routing headers in
559 * computation. 550 * computation.
560 */ 551 */
561 { 552 {
@@ -593,31 +584,33 @@ ah_massage_headers(struct mbuf **m0, int @@ -593,31 +584,33 @@ ah_massage_headers(struct mbuf **m0, int
593 584
594 rh0->ip6r0_segleft = 0; 585 rh0->ip6r0_segleft = 0;
595 } 586 }
596 587
597 /* advance */ 588 /* advance */
598 off += ((ip6e->ip6e_len + 1) << 3); 589 off += ((ip6e->ip6e_len + 1) << 3);
599 nxt = ip6e->ip6e_nxt; 590 nxt = ip6e->ip6e_nxt;
600 break; 591 break;
601 } 592 }
602 593
603 default: 594 default:
604 DPRINTF(("ah_massage_headers: unexpected " 595 DPRINTF(("ah_massage_headers: unexpected "
605 "IPv6 header type %d", off)); 596 "IPv6 header type %d", off));
 597error6:
606 if (alloc) 598 if (alloc)
607 free(ptr, M_XDATA); 599 free(ptr, M_XDATA);
608 m_freem(m); 600 m_freem(m);
609 return EINVAL; 601 return EINVAL;
610 } 602 }
 603 }
611 604
612 /* Copyback and free, if we allocated. */ 605 /* Copyback and free, if we allocated. */
613 if (alloc) { 606 if (alloc) {
614 m_copyback(m, sizeof(struct ip6_hdr), 607 m_copyback(m, sizeof(struct ip6_hdr),
615 skip - sizeof(struct ip6_hdr), ptr); 608 skip - sizeof(struct ip6_hdr), ptr);
616 free(ptr, M_XDATA); 609 free(ptr, M_XDATA);
617 } 610 }
618 611
619 break; 612 break;
620#endif /* INET6 */ 613#endif /* INET6 */
621 } 614 }
622 615
623 return 0; 616 return 0;
cvs diff -r1.40 -r1.40.6.1 src/sys/netipsec/xform_esp.c (expand / switch to unified diff)

--- src/sys/netipsec/xform_esp.c 2012/01/25 20:31:23 1.40
+++ src/sys/netipsec/xform_esp.c 2018/03/13 17:18:12 1.40.6.1
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $ */ 1/* $NetBSD: xform_esp.c,v 1.40.6.1 2018/03/13 17:18:12 snj Exp $ */
2/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ 2/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
3/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ 3/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
4 4
5/* 5/*
6 * The authors of this code are John Ioannidis (ji@tla.org), 6 * The authors of this code are John Ioannidis (ji@tla.org),
7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and
8 * Niels Provos (provos@physnet.uni-hamburg.de). 8 * Niels Provos (provos@physnet.uni-hamburg.de).
9 * 9 *
10 * The original version of this code was written by John Ioannidis 10 * The original version of this code was written by John Ioannidis
11 * for BSD/OS in Athens, Greece, in November 1995. 11 * for BSD/OS in Athens, Greece, in November 1995.
12 * 12 *
13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
14 * by Angelos D. Keromytis. 14 * by Angelos D. Keromytis.
@@ -29,27 +29,27 @@ @@ -29,27 +29,27 @@
29 * You may use this code under the GNU public license if you so wish. Please 29 * You may use this code under the GNU public license if you so wish. Please
30 * contribute changes back to the authors under this freer than GPL license 30 * contribute changes back to the authors under this freer than GPL license
31 * so that we may further the use of strong encryption without limitations to 31 * so that we may further the use of strong encryption without limitations to
32 * all. 32 * all.
33 * 33 *
34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38 * PURPOSE. 38 * PURPOSE.
39 */ 39 */
40 40
41#include <sys/cdefs.h> 41#include <sys/cdefs.h>
42__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $"); 42__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40.6.1 2018/03/13 17:18:12 snj Exp $");
43 43
44#include "opt_inet.h" 44#include "opt_inet.h"
45#ifdef __FreeBSD__ 45#ifdef __FreeBSD__
46#include "opt_inet6.h" 46#include "opt_inet6.h"
47#endif 47#endif
48 48
49#include <sys/param.h> 49#include <sys/param.h>
50#include <sys/systm.h> 50#include <sys/systm.h>
51#include <sys/mbuf.h> 51#include <sys/mbuf.h>
52#include <sys/socket.h> 52#include <sys/socket.h>
53#include <sys/syslog.h> 53#include <sys/syslog.h>
54#include <sys/kernel.h> 54#include <sys/kernel.h>
55/*#include <sys/random.h>*/ 55/*#include <sys/random.h>*/
@@ -305,26 +305,30 @@ esp_input(struct mbuf *m, const struct s @@ -305,26 +305,30 @@ esp_input(struct mbuf *m, const struct s
305 struct cryptop *crp; 305 struct cryptop *crp;
306 306
307 IPSEC_SPLASSERT_SOFTNET("esp_input"); 307 IPSEC_SPLASSERT_SOFTNET("esp_input");
308 308
309 IPSEC_ASSERT(sav != NULL, ("esp_input: null SA")); 309 IPSEC_ASSERT(sav != NULL, ("esp_input: null SA"));
310 IPSEC_ASSERT(sav->tdb_encalgxform != NULL, 310 IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
311 ("esp_input: null encoding xform")); 311 ("esp_input: null encoding xform"));
312 IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0, 312 IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
313 ("esp_input: misaligned packet, skip %u pkt len %u", 313 ("esp_input: misaligned packet, skip %u pkt len %u",
314 skip, m->m_pkthdr.len)); 314 skip, m->m_pkthdr.len));
315 315
316 /* XXX don't pullup, just copy header */ 316 /* XXX don't pullup, just copy header */
317 IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); 317 IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
 318 if (esp == NULL) {
 319 /* m already freed */
 320 return EINVAL;
 321 }
318 322
319 esph = sav->tdb_authalgxform; 323 esph = sav->tdb_authalgxform;
320 espx = sav->tdb_encalgxform; 324 espx = sav->tdb_encalgxform;
321 325
322 /* Determine the ESP header length */ 326 /* Determine the ESP header length */
323 if (sav->flags & SADB_X_EXT_OLD) 327 if (sav->flags & SADB_X_EXT_OLD)
324 hlen = sizeof (struct esp) + sav->ivlen; 328 hlen = sizeof (struct esp) + sav->ivlen;
325 else 329 else
326 hlen = sizeof (struct newesp) + sav->ivlen; 330 hlen = sizeof (struct newesp) + sav->ivlen;
327 /* Authenticator hash size */ 331 /* Authenticator hash size */
328 alen = esph ? esph->authsize : 0; 332 alen = esph ? esph->authsize : 0;
329 333
330 /* 334 /*
cvs diff -r1.28.14.1 -r1.28.14.2 src/sys/netipsec/xform_ipip.c (expand / switch to unified diff)

--- src/sys/netipsec/xform_ipip.c 2018/02/15 14:51:44 1.28.14.1
+++ src/sys/netipsec/xform_ipip.c 2018/03/13 17:18:12 1.28.14.2
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: xform_ipip.c,v 1.28.14.1 2018/02/15 14:51:44 martin Exp $ */ 1/* $NetBSD: xform_ipip.c,v 1.28.14.2 2018/03/13 17:18:12 snj Exp $ */
2/* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ 2/* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
3/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ 3/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
4 4
5/* 5/*
6 * The authors of this code are John Ioannidis (ji@tla.org), 6 * The authors of this code are John Ioannidis (ji@tla.org),
7 * Angelos D. Keromytis (kermit@csd.uch.gr) and 7 * Angelos D. Keromytis (kermit@csd.uch.gr) and
8 * Niels Provos (provos@physnet.uni-hamburg.de). 8 * Niels Provos (provos@physnet.uni-hamburg.de).
9 * 9 *
10 * The original version of this code was written by John Ioannidis 10 * The original version of this code was written by John Ioannidis
11 * for BSD/OS in Athens, Greece, in November 1995. 11 * for BSD/OS in Athens, Greece, in November 1995.
12 * 12 *
13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
14 * by Angelos D. Keromytis. 14 * by Angelos D. Keromytis.
@@ -29,27 +29,27 @@ @@ -29,27 +29,27 @@
29 * You may use this code under the GNU public license if you so wish. Please 29 * You may use this code under the GNU public license if you so wish. Please
30 * contribute changes back to the authors under this freer than GPL license 30 * contribute changes back to the authors under this freer than GPL license
31 * so that we may further the use of strong encryption without limitations to 31 * so that we may further the use of strong encryption without limitations to
32 * all. 32 * all.
33 * 33 *
34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38 * PURPOSE. 38 * PURPOSE.
39 */ 39 */
40 40
41#include <sys/cdefs.h> 41#include <sys/cdefs.h>
42__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.14.1 2018/02/15 14:51:44 martin Exp $"); 42__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.28.14.2 2018/03/13 17:18:12 snj Exp $");
43 43
44/* 44/*
45 * IP-inside-IP processing 45 * IP-inside-IP processing
46 */ 46 */
47#include "opt_inet.h" 47#include "opt_inet.h"
48#ifdef __FreeBSD__ 48#ifdef __FreeBSD__
49#include "opt_inet6.h" 49#include "opt_inet6.h"
50#include "opt_random_ip_id.h" 50#include "opt_random_ip_id.h"
51#endif /* __FreeBSD__ */ 51#endif /* __FreeBSD__ */
52 52
53 53
54#include <sys/param.h> 54#include <sys/param.h>
55#include <sys/systm.h> 55#include <sys/systm.h>
@@ -314,27 +314,28 @@ _ipip_input(struct mbuf *m, int iphlen,  @@ -314,27 +314,28 @@ _ipip_input(struct mbuf *m, int iphlen,
314 * this is as good as any a position. 314 * this is as good as any a position.
315 */ 315 */
316 316
317 /* Some sanity checks in the inner IP header */ 317 /* Some sanity checks in the inner IP header */
318 switch (v >> 4) { 318 switch (v >> 4) {
319#ifdef INET 319#ifdef INET
320 case 4: 320 case 4:
321 ipo = mtod(m, struct ip *); 321 ipo = mtod(m, struct ip *);
322 ip_ecn_egress(ip4_ipsec_ecn, &otos, &ipo->ip_tos); 322 ip_ecn_egress(ip4_ipsec_ecn, &otos, &ipo->ip_tos);
323 break; 323 break;
324#endif /* INET */ 324#endif /* INET */
325#ifdef INET6 325#ifdef INET6
326 case 6: 326 case 6:
327 ip6 = (struct ip6_hdr *) ipo; 327 ipo = NULL;
 328 ip6 = mtod(m, struct ip6_hdr *);
328 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 329 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
329 ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos); 330 ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos);
330 ip6->ip6_flow &= ~htonl(0xff << 20); 331 ip6->ip6_flow &= ~htonl(0xff << 20);
331 ip6->ip6_flow |= htonl((u_int32_t) itos << 20); 332 ip6->ip6_flow |= htonl((u_int32_t) itos << 20);
332 break; 333 break;
333#endif 334#endif
334 default: 335 default:
335 panic("ipip_input: unknown ip version %u (inner)", v>>4); 336 panic("ipip_input: unknown ip version %u (inner)", v>>4);
336 } 337 }
337 338
338 /* Check for local address spoofing. */ 339 /* Check for local address spoofing. */
339 if ((m->m_pkthdr.rcvif == NULL || 340 if ((m->m_pkthdr.rcvif == NULL ||
340 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && 341 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) &&