Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,andrew.cagney%gmail.com@localhost
Subject: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Mon, 16 May 2022 18:15:02 +0000 (UTC)

The following reply was made to PR kern/56836; it has been noted by GNATS.

From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, 
	gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
Date: Mon, 16 May 2022 14:13:57 -0400

 (so how do I bundle patches)
 
 always always send / expect CPI in IPcomp header
 
 Fixes kern/56836 where an IPsec interop combining compression and
 ESP|AH would fail.
 
 Since fast ipsec, the outgoing IPcomp header has contained the
 compression algorithm instead of the CPI.  Adding the
 SADB_X_EXT_RAWCPI flag worked around this but ...
 
 The IPcomp's SADB was unconditionally hashed using the compression
 algorithm instead of the CPI.  This meant that an incoming packet with
 a valid CPI could never match its SADB.
 ---
  sys/netipsec/key.c          | 5 +----
  sys/netipsec/xform_ipcomp.c | 7 +------
  2 files changed, 2 insertions(+), 10 deletions(-)
 
 diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
 index 4ad4a8d466d9..11577960f93f 100644
 --- a/sys/netipsec/key.c
 +++ b/sys/netipsec/key.c
 @@ -8755,10 +8755,7 @@ key_savlut_writer_insert_head(struct secasvar *sav)
      KASSERT(mutex_owned(&key_sad.lock));
      KASSERT(!sav->savlut_added);
 
 -    if (sav->sah->saidx.proto == IPPROTO_IPCOMP)
 -        hash_key = sav->alg_comp;
 -    else
 -        hash_key = sav->spi;
 +    hash_key = sav->spi;
 
      hash = key_savluthash(&sav->sah->saidx.dst.sa,
          sav->sah->saidx.proto, hash_key, key_sad.savlutmask);
 diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
 index e94a0b471042..69d196bc7e39 100644
 --- a/sys/netipsec/xform_ipcomp.c
 +++ b/sys/netipsec/xform_ipcomp.c
 @@ -527,7 +527,6 @@ ipcomp_output_cb(struct cryptop *crp)
      struct mbuf *m, *mo;
      int error, skip, rlen, roff, flags;
      uint8_t prot;
 -    uint16_t cpi;
      struct ipcomp * ipcomp;
      IPSEC_DECLARE_LOCK_VARIABLE;
 
 @@ -589,11 +588,7 @@ ipcomp_output_cb(struct cryptop *crp)
  #endif
          }
          ipcomp->comp_flags = 0;
 -
 -        if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
 -            cpi = sav->alg_enc;
 -        else
 -            cpi = ntohl(sav->spi) & 0xffff;
 +        uint16_t cpi = ntohl(sav->spi) & 0xffff;
          ipcomp->comp_cpi = htons(cpi);
 
          /* Fix Next Protocol in IPv4/IPv6 header */
 -- 
 2.35.3

Follow-Ups:
- Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
  - From: Andrew Cagney

Prev by Date: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
Next by Date: kern/56840: use ntohl(ntohs(cpi)) when 0-extending ipcomp CPI
Previous by Thread: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
Next by Thread: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
Indexes:

Home | Main Index | Thread Index | Old Index