Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-2-0]: src/sys/netipsec Pull up following revision(s) (requested b...
details: https://anonhg.NetBSD.org/src/rev/c1afe0f49a27
branches: netbsd-2-0
changeset: 565073:c1afe0f49a27
user: bouyer <bouyer%NetBSD.org@localhost>
date: Sat Dec 01 17:33:14 2007 +0000
description:
Pull up following revision(s) (requested by adrianp in ticket #11395):
sys/netipsec/xform_ah.c: revision 1.19 via patch
sys/netipsec/ipsec.c: revision 1.34 via patch
sys/netipsec/xform_ipip.c: revision 1.18 via patch
sys/netipsec/ipsec_output.c: revision 1.23 via patch
sys/netipsec/ipsec_osdep.h: revision 1.21 via patch
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@
diffstat:
sys/netipsec/ipsec.c | 8 ++++----
sys/netipsec/ipsec_osdep.h | 19 +++++++++++++++++--
sys/netipsec/ipsec_output.c | 8 +++-----
sys/netipsec/xform_ah.c | 8 ++++----
sys/netipsec/xform_ipip.c | 8 +++-----
5 files changed, 31 insertions(+), 20 deletions(-)
diffs (168 lines):
diff -r 83a0c7e646eb -r c1afe0f49a27 sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c Sat Dec 01 17:29:55 2007 +0000
+++ b/sys/netipsec/ipsec.c Sat Dec 01 17:33:14 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.10.2.1 2004/05/10 15:02:18 tron Exp $ */
+/* $NetBSD: ipsec.c,v 1.10.2.2 2007/12/01 17:33:14 bouyer Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.10.2.1 2004/05/10 15:02:18 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.10.2.2 2007/12/01 17:33:14 bouyer Exp $");
/*
* IPsec controller part.
@@ -870,7 +870,7 @@
/* NB: ip_input() flips it into host endian XXX need more checking */
if (m->m_len >= sizeof(struct ip)) {
struct ip *ip = mtod(m, struct ip *);
- if (ip->ip_off & (IP_MF | IP_OFFMASK))
+ if (ip->ip_off & IP_OFF_CONVERT(IP_MF | IP_OFFMASK))
goto done;
#ifdef _IP_VHL
off = _IP_VHL_HL(ip->ip_vhl) << 2;
@@ -882,7 +882,7 @@
struct ip ih;
m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih);
- if (ih.ip_off & (IP_MF | IP_OFFMASK))
+ if (ih.ip_off & IP_OFF_CONVERT(IP_MF | IP_OFFMASK))
goto done;
#ifdef _IP_VHL
off = _IP_VHL_HL(ih.ip_vhl) << 2;
diff -r 83a0c7e646eb -r c1afe0f49a27 sys/netipsec/ipsec_osdep.h
--- a/sys/netipsec/ipsec_osdep.h Sat Dec 01 17:29:55 2007 +0000
+++ b/sys/netipsec/ipsec_osdep.h Sat Dec 01 17:33:14 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_osdep.h,v 1.9.2.1 2004/05/10 15:06:08 tron Exp $ */
+/* $NetBSD: ipsec_osdep.h,v 1.9.2.2 2007/12/01 17:33:16 bouyer Exp $ */
/* $FreeBSD: /repoman/r/ncvs/src/sys/netipsec/ipsec_osdep.h,v 1.1 2003/09/29 22:47:45 sam Exp $ */
/*
@@ -44,6 +44,7 @@
* 9. Global SLIST of all open raw sockets.
* 10. Global SLIST of known interface addresses.
* 11. Type of initialization functions.
+ * 12. Byte order of ip_off
*/
/*
@@ -268,8 +269,22 @@
#define INITFN extern
#endif
+/* 12. On FreeBSD, ip_off assumed in host endian;
+ * it is converted (if necessary) by ip_input().
+ * On NetBSD, ip_off is in network byte order.
+ * We hide the difference with the macro IP_OFF_CONVERT
+ */
+
+#ifdef __FreeBSD__
+#define IP_OFF_CONVERT(x) (x)
+#endif
+
+#ifdef __NetBSD__
+#define IP_OFF_CONVERT(x) (htons(x))
+#endif
+
/*
- * 12. IPv6 support, and "generic" inpcb vs. IPv4 pcb vs. IPv6 pcb.
+ * 13. IPv6 support, and "generic" inpcb vs. IPv4 pcb vs. IPv6 pcb.
* To IPv6 V4-mapped addresses (and the KAME-derived implementation
* of IPv6 v4-mapped addresses) we must support limited polymorphism:
* partway down the stack we detect an IPv6 protocol address is really
diff -r 83a0c7e646eb -r c1afe0f49a27 sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c Sat Dec 01 17:29:55 2007 +0000
+++ b/sys/netipsec/ipsec_output.c Sat Dec 01 17:33:14 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_output.c,v 1.12.2.1 2004/05/10 15:02:18 tron Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.12.2.2 2007/12/01 17:33:15 bouyer Exp $ */
/*-
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.12.2.1 2004/05/10 15:02:18 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.12.2.2 2007/12/01 17:33:15 bouyer Exp $");
/*
* IPsec output processing.
@@ -462,9 +462,7 @@
goto bad;
}
ip = mtod(m, struct ip *);
- ip->ip_off = ntohs(ip->ip_off);
- ip->ip_off |= IP_DF;
- ip->ip_off = htons(ip->ip_off);
+ ip->ip_off |= IP_OFF_CONVERT(IP_DF);
}
}
}
diff -r 83a0c7e646eb -r c1afe0f49a27 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c Sat Dec 01 17:29:55 2007 +0000
+++ b/sys/netipsec/xform_ah.c Sat Dec 01 17:33:14 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.6.2.1 2004/05/11 12:30:46 tron Exp $ */
+/* $NetBSD: xform_ah.c,v 1.6.2.2 2007/12/01 17:33:14 bouyer Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.6.2.1 2004/05/11 12:30:46 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.6.2.2 2007/12/01 17:33:14 bouyer Exp $");
#include "opt_inet.h"
#ifdef __FreeBSD__
@@ -326,12 +326,12 @@
if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
- ip->ip_off = htons(TOHOST(ip->ip_off) & IP_DF);
+ ip->ip_off &= IP_OFF_CONVERT(IP_DF);
else
ip->ip_off = 0;
} else {
if (alg == CRYPTO_MD5_KPDK || alg == CRYPTO_SHA1_KPDK)
- ip->ip_off = htons(ntohs(ip->ip_off) & IP_DF);
+ ip->ip_off &= IP_OFF_CONVERT(IP_DF);
else
ip->ip_off = 0;
}
diff -r 83a0c7e646eb -r c1afe0f49a27 sys/netipsec/xform_ipip.c
--- a/sys/netipsec/xform_ipip.c Sat Dec 01 17:29:55 2007 +0000
+++ b/sys/netipsec/xform_ipip.c Sat Dec 01 17:33:14 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipip.c,v 1.9 2004/03/17 00:21:43 jonathan Exp $ */
+/* $NetBSD: xform_ipip.c,v 1.9.2.1 2007/12/01 17:33:15 bouyer Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.9 2004/03/17 00:21:43 jonathan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.9.2.1 2007/12/01 17:33:15 bouyer Exp $");
/*
* IP-inside-IP processing
@@ -510,9 +510,7 @@
m_copydata(m, sizeof(struct ip) +
offsetof(struct ip, ip_off),
sizeof(u_int16_t), (caddr_t) &ipo->ip_off);
- ipo->ip_off = ntohs(ipo->ip_off);
- ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK);
- ipo->ip_off = htons(ipo->ip_off);
+ ipo->ip_off &= ~ IP_OFF_CONVERT(IP_DF | IP_MF | IP_OFFMASK);
}
#ifdef INET6
else if (tp == (IPV6_VERSION >> 4)) {
Home |
Main Index |
Thread Index |
Old Index