[src/trunk]: src/sys/net/npf Don't read the L4 payload after IPPROTO_AH when ...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e3016c01b9e8
branches:  trunk
changeset: 831305:e3016c01b9e8
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Mar 21 10:08:16 2018 +0000

description:
Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.

AH must be considered as the payload, otherwise a

        block all
        pass in proto ah from any
        pass out proto ah from any

configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.

In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.

Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.

diffstat:

 sys/net/npf/npf_inet.c |  11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diffs (39 lines):

diff -r abb2e007c335 -r e3016c01b9e8 sys/net/npf/npf_inet.c
--- a/sys/net/npf/npf_inet.c    Wed Mar 21 09:54:39 2018 +0000
+++ b/sys/net/npf/npf_inet.c    Wed Mar 21 10:08:16 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_inet.c,v 1.42 2018/03/17 10:21:09 maxv Exp $       */
+/*     $NetBSD: npf_inet.c,v 1.43 2018/03/21 10:08:16 maxv Exp $       */
 
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -40,7 +40,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.42 2018/03/17 10:21:09 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.43 2018/03/21 10:08:16 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -323,6 +323,10 @@
        const uint8_t ver = *(const uint8_t *)nptr;
        int flags = 0;
 
+       /*
+        * We intentionally don't read the L4 payload after IPPROTO_AH.
+        */
+
        switch (ver >> 4) {
        case IPVERSION: {
                struct ip *ip;
@@ -404,9 +408,6 @@
                                flags |= NPC_IPFRAG;
 
                                break;
-                       case IPPROTO_AH:
-                               hlen = (ip6e->ip6e_len + 2) << 2;
-                               break;
                        default:
                                hlen = 0;
                                break;