From: Matthew Dillon Date: Mon, 1 May 2006 16:26:54 +0000 (+0000) Subject: more strict sanity check for ESP tail. [From KAME] X-Git-Tag: v2.0.1~4998 X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/638ad557771831cb7d1415787691e1d187a29f27 more strict sanity check for ESP tail. [From KAME] Fix IPv6 error statistics being recorded as IPv4. m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has to happen before the call to m_cat(). [May not apply.] Submitted-by: Gary Allan Taken-from: FreeBSD4 --- diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c index 417631dbee..d94ff70e1e 100644 --- a/sys/netinet6/esp_input.c +++ b/sys/netinet6/esp_input.c @@ -1,5 +1,5 @@ /* $FreeBSD: src/sys/netinet6/esp_input.c,v 1.1.2.8 2003/01/23 21:06:47 sam Exp $ */ -/* $DragonFly: src/sys/netinet6/esp_input.c,v 1.10 2006/01/14 11:44:24 swildner Exp $ */ +/* $DragonFly: src/sys/netinet6/esp_input.c,v 1.11 2006/05/01 16:26:54 dillon Exp $ */ /* $KAME: esp_input.c,v 1.62 2002/01/07 11:39:57 kjc Exp $ */ /* @@ -334,8 +334,8 @@ noreplaycheck: nxt = esptail.esp_nxt; taillen = esptail.esp_padlen + sizeof(esptail); - if (m->m_pkthdr.len < taillen - || m->m_pkthdr.len - taillen < hlen) { /* ? */ + if (m->m_pkthdr.len < taillen || + m->m_pkthdr.len - taillen < off + esplen + ivlen + sizeof(esptail)) { ipseclog((LOG_WARNING, "bad pad length in IPv4 ESP input: %s %s\n", ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); @@ -581,7 +581,7 @@ esp6_input(struct mbuf **mp, int *offp, int proto) goto noreplaycheck; siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { - ipsecstat.in_inval++; + ipsec6stat.in_inval++; goto bad; } if (AH_MAXSUMSIZE < siz) { @@ -797,9 +797,9 @@ noreplaycheck: goto bad; } m_adj(n, stripsiz); - m_cat(m, n); /* m_cat does not update m_pkthdr.len */ m->m_pkthdr.len += n->m_pkthdr.len; + m_cat(m, n); } #ifndef PULLDOWN_TEST