[src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.16 (requested by itojun):

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.16 (requested by itojun):
From: he <he%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 07:28:15 +0000

details:   https://anonhg.NetBSD.org/src/rev/c819429029a1
branches:  netbsd-1-5
changeset: 490821:c819429029a1
user:      he <he%NetBSD.org@localhost>
date:      Sun Mar 11 21:11:21 2001 +0000

description:
Pull up revision 1.16 (requested by itojun):
  Ensure that we enforce inbound IPsec policy on all IP protocols,
  not just TCP, UDP and ICMP.

diffstat:

 sys/netinet6/esp_input.c    |  11 ++++++++---
 sys/netinet6/ipcomp_input.c |  11 ++++++++---
 2 files changed, 16 insertions(+), 6 deletions(-)

diffs (52 lines):

diff -r fb24fe8a77dd -r c819429029a1 sys/netinet6/esp_input.c
--- a/sys/netinet6/esp_input.c  Sun Mar 11 21:10:53 2001 +0000
+++ b/sys/netinet6/esp_input.c  Sun Mar 11 21:11:21 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: esp_input.c,v 1.1.1.1.2.5 2000/10/02 23:41:32 itojun Exp $     */
+/*     $NetBSD: esp_input.c,v 1.1.1.1.2.6 2001/03/11 21:11:21 he Exp $ */
 /*     $KAME: esp_input.c,v 1.33 2000/09/12 08:51:49 itojun Exp $      */
 
 /*
@@ -418,9 +418,14 @@
 
                key_sa_recordxfer(sav, m);
 
-               if (nxt != IPPROTO_DONE)
+               if (nxt != IPPROTO_DONE) {
+                       if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+                           ipsec4_in_reject(m, NULL)) {
+                               ipsecstat.in_polvio++;
+                               goto bad;
+                       }
                        (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
-               else
+               } else
                        m_freem(m);
                m = NULL;
        }
diff -r fb24fe8a77dd -r c819429029a1 sys/netinet6/ipcomp_input.c
--- a/sys/netinet6/ipcomp_input.c       Sun Mar 11 21:10:53 2001 +0000
+++ b/sys/netinet6/ipcomp_input.c       Sun Mar 11 21:11:21 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipcomp_input.c,v 1.10.4.2 2000/10/02 23:41:32 itojun Exp $     */
+/*     $NetBSD: ipcomp_input.c,v 1.10.4.3 2001/03/11 21:11:40 he Exp $ */
 /*     $KAME: ipcomp_input.c,v 1.19 2000/10/01 12:37:20 itojun Exp $   */
 
 /*
@@ -213,9 +213,14 @@
                sav = NULL;
        }
 
-       if (nxt != IPPROTO_DONE)
+       if (nxt != IPPROTO_DONE) {
+               if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+                   ipsec4_in_reject(m, NULL)) {
+                       ipsecstat.in_polvio++;
+                       goto fail;
+               }
                (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
-       else
+       } else
                m_freem(m);
        m = NULL;

Prev by Date: [src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.26 (requested by itojun):
Next by Date: [src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.59 (requested by itojun):
Previous by Thread: [src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.26 (requested by itojun):
Next by Thread: [src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.59 (requested by itojun):
Indexes:

Home | Main Index | Thread Index | Old Index