kern/44463: FAST_IPSEC may send icmp-error message for expanded IPCOMP-tunnel packets

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/44463: FAST_IPSEC may send icmp-error message for expanded IPCOMP-tunnel packets
From: Wolfgang.Stukenbrock%nagler-company.com@localhost
Date: Wed, 26 Jan 2011 10:35:01 +0000 (UTC)

>Number:         44463
>Category:       kern
>Synopsis:       FAST_IPSEC may send icmp-error message for expanded 
>IPCOMP-tunnel packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 26 10:35:00 +0000 2011
>Originator:     Dr. Wolfgang Stukenbrock
>Release:        NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
        
        
System: NetBSD test-s0 4.0 NetBSD 4.0 (NSW-WS) #0: Tue Aug 17 17:28:09 CEST 
2010 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
        For the IPSEC implementation the M_DECRYPTED flag is set in both cases 
(ESP and IPCOMP)
        if a packet is processed.
        This flag is used in /usr/src/sys/netinet/ip_icmp.c (line 246) to avoid 
sending an icmp error packet.

        In the FAST_IPSEC implementation this flag is only set after ESP 
processing.
        So if you setup an IPCOMP-only-tunnel, icmp error packets may be 
generated for the decrypted packet.

        Accedently the M_DECRYPTED flag is used in 
/usr/src/sys/netipsec/ipsec.c function ipsec_in_reject()
        to detect if a packet has been sucessfully processed by ESP. So this 
flag cannot be used
        for IPCOMP too in FAST_IPSEC.
>How-To-Repeat:
        Found by a look into the sources.
>Fix:
        I think another flag (e.g. M_IPCOMP_DONE 0x100000) is needed in the set 
of mbuf-flags, but I'm not shure
        if this is OK. Therefore I've adde no patch up to now.
        This flag should be added to M_COPYFLAGS and M_FLAGS_BITS too - as far 
as I understand the mbuf processing.

        I this flag is added, it must be checked in ip_icmp.c (line 246) too 
and set after IPCOMP processing is done
        int /usr/src/sys/netipsec/xform_ipcomp.c function ipcomp_input_cb() 
prior the call to the macro IPSEC_COMMON_INPUT_CB().
        This would introduce the same semantics in FAST_IPSEC as in IPSEC.
        The flag may be used in the IPSEC part too, but it is not nessesary for 
the functionality.

>Unformatted:

Prev by Date: PR/44462 CVS commit: src/crypto/dist/heimdal/kuser
Next by Date: kern/44464: linux emul panic while starting opera-11
Previous by Thread: PR/44462 CVS commit: src/crypto/dist/heimdal/kuser
Next by Thread: kern/44464: linux emul panic while starting opera-11
Indexes:

Home | Main Index | Thread Index | Old Index