From 564b60af35d3244810acda53de53b8fb737ccb46 Mon Sep 17 00:00:00 2001 From: cube Date: Thu, 27 Mar 2008 00:18:56 +0000 Subject: [PATCH] - Make sure we send a reasonable fragment size when IPSEC is configured. Otherwise we end up sending a dubious "0" whenever we cannot find a proper association for the packet. - Reset sack_newdata along with snd_nxt to avoid improper integer arithmetics that lead to sending data from an incorrect place in the stream, making it appear as corrupted. Patch by Michael Van Elst, based on an analysis by Michael for the IPSEC stuff and I for the SACK issue. --- sys/netinet/ip_input.c | 33 +++++++++++++++++---------------- sys/netinet/tcp_subr.c | 8 ++++---- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 02900ab2c1d4..3a8460692070 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.262 2008/02/06 03:20:51 matt Exp $ */ +/* $NetBSD: ip_input.c,v 1.263 2008/03/27 00:18:56 cube Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -98,7 +98,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.262 2008/02/06 03:20:51 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.263 2008/03/27 00:18:56 cube Exp $"); #include "opt_inet.h" #include "opt_gateway.h" @@ -1954,17 +1954,17 @@ ip_forward(struct mbuf *m, int srcrt) case EMSGSIZE: type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; -#if !defined(IPSEC) && !defined(FAST_IPSEC) - if ((rt = rtcache_validate(&ipforward_rt)) != NULL) - destmtu = rt->rt_ifp->if_mtu; -#else - /* - * If the packet is routed over IPsec tunnel, tell the - * originator the tunnel MTU. - * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz - * XXX quickhack!!! - */ + if ((rt = rtcache_validate(&ipforward_rt)) != NULL) { + +#if defined(IPSEC) || defined(FAST_IPSEC) + /* + * If the packet is routed over IPsec tunnel, tell the + * originator the tunnel MTU. + * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz + * XXX quickhack!!! + */ + struct secpolicy *sp; int ipsecerror; size_t ipsechdr; @@ -1973,10 +1973,11 @@ ip_forward(struct mbuf *m, int srcrt) sp = ipsec4_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &ipsecerror); +#endif - if (sp == NULL) - destmtu = rt->rt_ifp->if_mtu; - else { + destmtu = rt->rt_ifp->if_mtu; +#if defined(IPSEC) || defined(FAST_IPSEC) + if (sp != NULL) { /* count IPsec header size */ ipsechdr = ipsec4_hdrsiz(mcopy, IPSEC_DIR_OUTBOUND, NULL); @@ -2005,8 +2006,8 @@ ip_forward(struct mbuf *m, int srcrt) KEY_FREESP(&sp); #endif } +#endif /*defined(IPSEC) || defined(FAST_IPSEC)*/ } -#endif /*IPSEC*/ ipstat.ips_cantfrag++; break; diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 5a18872cdd0b..c07c83b5a1bd 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_subr.c,v 1.224 2008/02/29 07:39:17 matt Exp $ */ +/* $NetBSD: tcp_subr.c,v 1.225 2008/03/27 00:18:56 cube Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -98,7 +98,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.224 2008/02/29 07:39:17 matt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.225 2008/03/27 00:18:56 cube Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -1757,7 +1757,7 @@ tcp_mtudisc(struct inpcb *inp, int errno) /* * Resend unacknowledged packets. */ - tp->snd_nxt = tp->snd_una; + tp->snd_nxt = tp->sack_newdata = tp->snd_una; tcp_output(tp); } } @@ -1814,7 +1814,7 @@ tcp6_mtudisc(struct in6pcb *in6p, int errno) /* * Resend unacknowledged packets. */ - tp->snd_nxt = tp->snd_una; + tp->snd_nxt = tp->sack_newdata = tp->snd_una; tcp_output(tp); } }