Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-3-0]: src/sys/netipsec Pull up following revision(s) (requested b...



details:   https://anonhg.NetBSD.org/src/rev/93fb2bdcef45
branches:  netbsd-3-0
changeset: 579463:93fb2bdcef45
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Thu Nov 22 19:01:36 2007 +0000

description:
Pull up following revision(s) (requested by adrianp in ticket #1878):
        sys/netipsec/xform_ah.c: revision 1.19 via patch
        sys/netipsec/ipsec.c: revision 1.34 via patch
        sys/netipsec/xform_ipip.c: revision 1.18 via patch
        sys/netipsec/ipsec_output.c: revision 1.23 via patch
        sys/netipsec/ipsec_osdep.h: revision 1.21 via patch
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@

diffstat:

 sys/netipsec/ipsec.c        |   8 ++++----
 sys/netipsec/ipsec_osdep.h  |  19 +++++++++++++++++--
 sys/netipsec/ipsec_output.c |   8 +++-----
 sys/netipsec/xform_ah.c     |   8 ++++----
 sys/netipsec/xform_ipip.c   |   8 +++-----
 5 files changed, 31 insertions(+), 20 deletions(-)

diffs (168 lines):

diff -r 846e0e79a051 -r 93fb2bdcef45 sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c      Mon Nov 19 21:10:06 2007 +0000
+++ b/sys/netipsec/ipsec.c      Thu Nov 22 19:01:36 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.c,v 1.15 2005/02/26 22:45:13 perry Exp $ */
+/*     $NetBSD: ipsec.c,v 1.15.4.1 2007/11/22 19:01:36 bouyer Exp $    */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $       */
 /*     $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.15 2005/02/26 22:45:13 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.15.4.1 2007/11/22 19:01:36 bouyer Exp $");
 
 /*
  * IPsec controller part.
@@ -870,7 +870,7 @@
        /* NB: ip_input() flips it into host endian XXX need more checking */
        if (m->m_len >= sizeof(struct ip)) {
                struct ip *ip = mtod(m, struct ip *);
-               if (ip->ip_off & (IP_MF | IP_OFFMASK))
+               if (ip->ip_off & IP_OFF_CONVERT(IP_MF | IP_OFFMASK))
                        goto done;
 #ifdef _IP_VHL
                off = _IP_VHL_HL(ip->ip_vhl) << 2;
@@ -882,7 +882,7 @@
                struct ip ih;
 
                m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih);
-               if (ih.ip_off & (IP_MF | IP_OFFMASK))
+               if (ih.ip_off & IP_OFF_CONVERT(IP_MF | IP_OFFMASK))
                        goto done;
 #ifdef _IP_VHL
                off = _IP_VHL_HL(ih.ip_vhl) << 2;
diff -r 846e0e79a051 -r 93fb2bdcef45 sys/netipsec/ipsec_osdep.h
--- a/sys/netipsec/ipsec_osdep.h        Mon Nov 19 21:10:06 2007 +0000
+++ b/sys/netipsec/ipsec_osdep.h        Thu Nov 22 19:01:36 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_osdep.h,v 1.11 2005/02/26 22:45:13 perry Exp $   */
+/*     $NetBSD: ipsec_osdep.h,v 1.11.4.1 2007/11/22 19:01:37 bouyer Exp $      */
 /*     $FreeBSD: /repoman/r/ncvs/src/sys/netipsec/ipsec_osdep.h,v 1.1 2003/09/29 22:47:45 sam Exp $    */
 
 /*
@@ -44,6 +44,7 @@
  * 9.  Global SLIST of all open raw sockets.
  * 10. Global SLIST of known interface addresses.
  * 11. Type of initialization functions.
+ * 12. Byte order of ip_off
  */
 
 /*
@@ -268,8 +269,22 @@
 #define INITFN extern
 #endif
 
+/* 12. On FreeBSD, ip_off  assumed in host endian;
+ * it is converted (if necessary) by ip_input().
+ * On NetBSD, ip_off is in network byte order.
+ * We hide the difference with the macro IP_OFF_CONVERT
+ */
+
+#ifdef __FreeBSD__
+#define IP_OFF_CONVERT(x) (x)
+#endif
+
+#ifdef __NetBSD__
+#define IP_OFF_CONVERT(x) (htons(x))
+#endif
+
 /*
- * 12. IPv6 support, and "generic" inpcb vs. IPv4 pcb vs. IPv6 pcb.
+ * 13. IPv6 support, and "generic" inpcb vs. IPv4 pcb vs. IPv6 pcb.
  * To IPv6 V4-mapped addresses (and the KAME-derived implementation
  * of IPv6 v4-mapped addresses)  we must support limited polymorphism:
  * partway down the stack we detect an IPv6 protocol address is really
diff -r 846e0e79a051 -r 93fb2bdcef45 sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c       Mon Nov 19 21:10:06 2007 +0000
+++ b/sys/netipsec/ipsec_output.c       Thu Nov 22 19:01:36 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_output.c,v 1.13 2004/05/07 00:55:15 jonathan Exp $       */
+/*     $NetBSD: ipsec_output.c,v 1.13.22.1 2007/11/22 19:01:37 bouyer Exp $    */
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.13 2004/05/07 00:55:15 jonathan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.13.22.1 2007/11/22 19:01:37 bouyer Exp $");
 
 /*
  * IPsec output processing.
@@ -462,9 +462,7 @@
                                        goto bad;
                                }
                                ip = mtod(m, struct ip *);
-                               ip->ip_off = ntohs(ip->ip_off);
-                               ip->ip_off |= IP_DF;
-                               ip->ip_off = htons(ip->ip_off);
+                               ip->ip_off |= IP_OFF_CONVERT(IP_DF);
                        }
                }
        }
diff -r 846e0e79a051 -r 93fb2bdcef45 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c   Mon Nov 19 21:10:06 2007 +0000
+++ b/sys/netipsec/xform_ah.c   Thu Nov 22 19:01:36 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ah.c,v 1.8 2005/02/26 22:45:13 perry Exp $       */
+/*     $NetBSD: xform_ah.c,v 1.8.12.1 2007/11/22 19:01:36 bouyer Exp $ */
 /*     $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $   */
 /*     $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.8 2005/02/26 22:45:13 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.8.12.1 2007/11/22 19:01:36 bouyer Exp $");
 
 #include "opt_inet.h"
 #ifdef __FreeBSD__
@@ -326,12 +326,12 @@
 
 
                        if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
-                               ip->ip_off = htons(TOHOST(ip->ip_off) & IP_DF);
+                               ip->ip_off  &= IP_OFF_CONVERT(IP_DF);
                        else
                                ip->ip_off = 0;
                } else {
                        if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
-                               ip->ip_off = htons(ntohs(ip->ip_off) & IP_DF);
+                               ip->ip_off &= IP_OFF_CONVERT(IP_DF);
                        else
                                ip->ip_off = 0;
                }
diff -r 846e0e79a051 -r 93fb2bdcef45 sys/netipsec/xform_ipip.c
--- a/sys/netipsec/xform_ipip.c Mon Nov 19 21:10:06 2007 +0000
+++ b/sys/netipsec/xform_ipip.c Thu Nov 22 19:01:36 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ipip.c,v 1.10 2005/02/26 22:45:13 perry Exp $    */
+/*     $NetBSD: xform_ipip.c,v 1.10.4.1 2007/11/22 19:01:37 bouyer Exp $       */
 /*     $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
 /*     $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.10 2005/02/26 22:45:13 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.10.4.1 2007/11/22 19:01:37 bouyer Exp $");
 
 /*
  * IP-inside-IP processing
@@ -510,9 +510,7 @@
                        m_copydata(m, sizeof(struct ip) +
                            offsetof(struct ip, ip_off),
                            sizeof(u_int16_t), (caddr_t) &ipo->ip_off);
-                       ipo->ip_off = ntohs(ipo->ip_off);
-                       ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK);
-                       ipo->ip_off = htons(ipo->ip_off);
+                       ipo->ip_off &= ~ IP_OFF_CONVERT(IP_DF | IP_MF | IP_OFFMASK);
                }
 #ifdef INET6
                else if (tp == (IPV6_VERSION >> 4)) {



Home | Main Index | Thread Index | Old Index