Subject: kern/36781: IPSEC_NAT_T failed to set UPD-lenght
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Wolfgang Stukenbrock <Wolfgang.Stukenbrock@nagler-company.com>
List: netbsd-bugs
Date: 08/14/2007 15:35:00
>Number: 36781
>Category: kern
>Synopsis: IPSEC_NAT_T failed to set UPD-lenght
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Aug 14 15:35:00 +0000 2007
>Originator: Wolfgang Stukenbrock
>Release: NetBSD 3.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD test-s0 3.1 NetBSD 3.1 (test-s0) #0: Tue Apr 3 11:33:43 CEST 2007 root@test-s0:/usr/src/sys/arch/i386/compile/test-s0 i386
Architecture: i386
Machine: i386
>Description:
When encapsulating ESP in UDP packets the length field of the UDP packet is set as the last thing.
But when no AH is used, the code jumps to the label "noantireplay" in order to send the packed.
Due to a sw-bug the label is placed behind the code that will insert the udp-length into the packet.
The result is a UDP packet with length 0 - thsi packet will be dropped at the reciever side.
At the moment NAT-T without AH does not work at all.
>How-To-Repeat:
Try to use NAT-T in ESP tunnel mode without AH
>Fix:
apply the following fix to /usr/src/sys/netinet6/esp_output.c:
apply the following fix to /usr/src/sys/netinet6/esp_output.c:
*** esp_output.c.orig Tue Aug 14 17:26:50 2007
--- esp_output.c Tue Aug 14 17:26:18 2007
***************
*** 687,693 ****
}
}
+ noantireplay:
#ifdef IPSEC_NAT_T
if (sav->natt_type != 0) {
struct ip *ip;
--- 687,692 ----
***************
*** 702,707 ****
--- 701,707 ----
}
#endif /* IPSEC_NAT_T */
- noantireplay:
if (!m) {
ipseclog((LOG_ERR,
"NULL mbuf after encryption in esp%d_output", afnumber));
>Unformatted: