check IPsec SA type (tunnel/transport/any) when we try to decapsulate IPsec

tunnel mode packet. decapsulate only if we got a tunnel mode SA. KAME PR 296.
2000-11-06 00:58:34 +00:00 · 2000-11-06 00:58:34 +00:00 · 47bce75f00
commit 47bce75f00
parent ef8a34f5c3
1 changed files with 6 additions and 2 deletions
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@ -1,5 +1,5 @@
-/*	$NetBSD: ipsec.c,v 1.28 2000/10/02 03:55:43 itojun Exp $	*/
-/*	$KAME: ipsec.c,v 1.80 2000/10/01 12:37:20 itojun Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.29 2000/11/06 00:58:34 itojun Exp $	*/
+/*	$KAME: ipsec.c,v 1.81 2000/10/25 06:30:57 sakane Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -3095,6 +3095,8 @@ ipsec4_tunnel_validate(ip, nxt0, sav)

 	if (nxt != IPPROTO_IPV4)
 		return 0;
+	if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL)
+		return 0;
 #ifdef _IP_VHL
 	hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
 #else
@ -3133,6 +3135,8 @@ ipsec6_tunnel_validate(ip6, nxt0, sav)

 	if (nxt != IPPROTO_IPV6)
 		return 0;
+	if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL)
+		return 0;
 	switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
 	case AF_INET6:
 		sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst);