[src/trunk]: src/sys/netinet6 Add missing IPsec policy checks to icmp6_rip6_i...

[ozaki-r <ozaki-r%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b477a2ca023f
branches:  trunk
changeset: 355546:b477a2ca023f
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Wed Aug 02 02:18:17 2017 +0000

description:
Add missing IPsec policy checks to icmp6_rip6_input

icmp6_rip6_input is quite similar to rip6_input and the same checks exist
in rip6_input.

diffstat:

 sys/netinet6/icmp6.c |  27 +++++++++++++++++++++++++--
 1 files changed, 25 insertions(+), 2 deletions(-)

diffs (62 lines):

diff -r 5978427b7de4 -r b477a2ca023f sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c      Wed Aug 02 02:12:42 2017 +0000
+++ b/sys/netinet6/icmp6.c      Wed Aug 02 02:18:17 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: icmp6.c,v 1.212 2017/07/07 00:55:15 knakahara Exp $    */
+/*     $NetBSD: icmp6.c,v 1.213 2017/08/02 02:18:17 ozaki-r Exp $      */
 /*     $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.212 2017/07/07 00:55:15 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.213 2017/08/02 02:18:17 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -104,6 +104,9 @@
 
 #ifdef IPSEC
 #include <netipsec/ipsec.h>
+#include <netipsec/ipsec_var.h>
+#include <netipsec/ipsec_private.h>
+#include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
 #endif
 
@@ -2005,6 +2008,12 @@
                        continue;
                if (last) {
                        struct  mbuf *n;
+#ifdef IPSEC
+                       /*
+                        * Check AH/ESP integrity
+                        */
+                       if (ipsec_used && !ipsec6_in_reject(m, last))
+#endif /* IPSEC */
                        if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
                                if (last->in6p_flags & IN6P_CONTROLOPTS)
                                        ip6_savecontrol(last, &opts, ip6, n);
@@ -2023,6 +2032,20 @@
                }
                last = in6p;
        }
+#ifdef IPSEC
+       if (ipsec_used && last && ipsec6_in_reject(m, last)) {
+               m_freem(m);
+               /*
+                * XXX ipsec6_in_reject update stat if there is an error
+                * so we just need to update stats by hand in the case of last is
+                * NULL
+                */
+               if (!last)
+                       IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
+                       IP6_STATDEC(IP6_STAT_DELIVERED);
+                       /* do not inject data into pcb */
+               } else
+#endif /* IPSEC */
        if (last) {
                if (last->in6p_flags & IN6P_CONTROLOPTS)
                        ip6_savecontrol(last, &opts, ip6, m);