Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

make sure to validate packet against ipsec policy.

Browse Source
This commit is contained in:
itojun 2001-02-26 07:20:44 +00:00
parent 416614582a
commit 233e3963ed
2 changed files with 41 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
sys/netinet/raw_ip.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: raw_ip.c,v 1.54 2001/01/24 09:04:15 itojun Exp $ */
/* $NetBSD: raw_ip.c,v 1.55 2001/02/26 07:20:44 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -175,6 +175,14 @@ rip_input(m, va_alist)
continue;
if (last) {
struct mbuf *n;
#ifdef IPSEC
/* check AH/ESP integrity. */
if (ipsec4_in_reject_so(m, last->inp_socket)) {
ipsecstat.in_polvio++;
/* do not inject data to pcb */
} else
#endif /*IPSEC*/
if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
if (last->inp_flags & INP_CONTROLOPTS ||
last->inp_socket->so_options & SO_TIMESTAMP)
@ -192,6 +200,15 @@ rip_input(m, va_alist)
}
last = inp;
}
#ifdef IPSEC
/* check AH/ESP integrity. */
if (last && ipsec4_in_reject_so(m, last->inp_socket)) {
m_freem(m);
ipsecstat.in_polvio++;
ipstat.ips_delivered--;
/* do not inject data to pcb */
} else
#endif /*IPSEC*/
if (last) {
if (last->inp_flags & INP_CONTROLOPTS ||
last->inp_socket->so_options & SO_TIMESTAMP)

25
sys/netinet6/raw_ip6.c
View File

@ -1,5 +1,5 @@
/* $NetBSD: raw_ip6.c,v 1.29 2001/02/11 06:49:52 itojun Exp $ */
/* $KAME: raw_ip6.c,v 1.65 2001/02/08 18:36:17 itojun Exp $ */
/* $NetBSD: raw_ip6.c,v 1.30 2001/02/26 07:20:45 itojun Exp $ */
/* $KAME: raw_ip6.c,v 1.66 2001/02/26 06:33:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -182,6 +182,16 @@ rip6_input(mp, offp, proto)
}
if (last) {
struct mbuf *n;
#ifdef IPSEC
/*
* Check AH/ESP integrity.
*/
if (ipsec6_in_reject(m, last)) {
ipsec6stat.in_polvio++;
/* do not inject data into pcb */
} else
#endif /*IPSEC*/
if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
if (last->in6p_flags & IN6P_CONTROLOPTS)
ip6_savecontrol(last, &opts, ip6, n);
@ -201,6 +211,17 @@ rip6_input(mp, offp, proto)
}
last = in6p;
}
#ifdef IPSEC
/*
* Check AH/ESP integrity.
*/
if (last && ipsec6_in_reject(m, last)) {
m_freem(m);
ipsec6stat.in_polvio++;
ip6stat.ip6s_delivered--;
/* do not inject data into pcb */
} else
#endif /*IPSEC*/
if (last) {
if (last->in6p_flags & IN6P_CONTROLOPTS)
ip6_savecontrol(last, &opts, ip6, m);