CVS commit: src/sys/net/npf

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/sys/net/npf
From: "Maxime Villard" <maxv%netbsd.org@localhost>
Date: Wed, 21 Mar 2018 10:08:16 +0000

Module Name:    src
Committed By:   maxv
Date:           Wed Mar 21 10:08:16 UTC 2018

Modified Files:
        src/sys/net/npf: npf_inet.c

Log Message:
Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.

AH must be considered as the payload, otherwise a

        block all
        pass in proto ah from any
        pass out proto ah from any

configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.

In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.

Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.


To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/sys/net/npf/npf_inet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: [netbsd-8] src
Next by Date: CVS commit: [pgoyette-compat] src/sys
Previous by Thread: CVS commit: [netbsd-8] src
Next by Thread: CVS commit: [pgoyette-compat] src/sys
Indexes:

Home | Main Index | Thread Index | Old Index