Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/netinet Pull up following revision(s) (requested by m...
details: https://anonhg.NetBSD.org/src/rev/8f25dc36dbae
branches: netbsd-8
changeset: 851523:8f25dc36dbae
user: martin <martin%NetBSD.org@localhost>
date: Fri Mar 30 11:17:19 2018 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #662):
sys/netinet/tcp_input.c: revision 1.383 (via patch)
Revert rev1.183 (2003).
It was intended as an optimization, but it increases the attack surface:
the IPsec policy is not enforced on RST packets when the socket is in the
LISTEN state, and an (unauthenticated) attacker could jam the connection
between two IPsec hosts by sending RST packets between the client's SYN
and ACK packets.
Discussed with ozaki-r@.
diffstat:
sys/netinet/tcp_input.c | 49 +++++--------------------------------------------
1 files changed, 5 insertions(+), 44 deletions(-)
diffs (88 lines):
diff -r 073e2d7b5af9 -r 8f25dc36dbae sys/netinet/tcp_input.c
--- a/sys/netinet/tcp_input.c Fri Mar 30 11:12:15 2018 +0000
+++ b/sys/netinet/tcp_input.c Fri Mar 30 11:17:19 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.357.4.2 2017/10/21 19:43:54 snj Exp $ */
+/* $NetBSD: tcp_input.c,v 1.357.4.3 2018/03/30 11:17:19 martin Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.2 2017/10/21 19:43:54 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.357.4.3 2018/03/30 11:17:19 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1475,16 +1475,12 @@
}
#if defined(IPSEC)
if (ipsec_used) {
- if (inp &&
- (inp->inp_socket->so_options & SO_ACCEPTCONN) == 0
- && ipsec4_in_reject(m, inp)) {
+ if (inp && ipsec4_in_reject(m, inp)) {
IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
goto drop;
}
#ifdef INET6
- else if (in6p &&
- (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0
- && ipsec6_in_reject(m, in6p)) {
+ else if (in6p && ipsec6_in_reject(m, in6p)) {
IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
goto drop;
}
@@ -1520,9 +1516,7 @@
goto dropwithreset_ratelim;
}
#if defined(IPSEC)
- if (ipsec_used && in6p
- && (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0
- && ipsec6_in_reject(m, in6p)) {
+ if (ipsec_used && in6p && ipsec6_in_reject(m, in6p)) {
IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
goto drop;
}
@@ -1830,39 +1824,6 @@
}
#endif
-#if defined(IPSEC)
- if (ipsec_used) {
- switch (af) {
-#ifdef INET
- case AF_INET:
- /*
- * inp can be NULL when
- * receiving an IPv4 packet on
- * an IPv4-mapped IPv6 address.
- */
- KASSERT(inp == NULL ||
- sotoinpcb(so) == inp);
- if (!ipsec4_in_reject(m, inp))
- break;
- IPSEC_STATINC(
- IPSEC_STAT_IN_POLVIO);
- tp = NULL;
- goto dropwithreset;
-#endif
-#ifdef INET6
- case AF_INET6:
- KASSERT(sotoin6pcb(so) == in6p);
- if (!ipsec6_in_reject(m, in6p))
- break;
- IPSEC6_STATINC(
- IPSEC_STAT_IN_POLVIO);
- tp = NULL;
- goto dropwithreset;
-#endif /*INET6*/
- }
- }
-#endif /*IPSEC*/
-
/*
* LISTEN socket received a SYN
* from itself? This can't possibly
Home |
Main Index |
Thread Index |
Old Index