- Make sure we send a reasonable fragment size when IPSEC is configured.

Otherwise we end up sending a dubious "0" whenever we cannot find a proper association for the packet. - Reset sack_newdata along with snd_nxt to avoid improper integer arithmetics that lead to sending data from an incorrect place in the stream, making it appear as corrupted. Patch by Michael Van Elst, based on an analysis by Michael for the IPSEC stuff and I for the SACK issue.
2008-03-27 00:18:56 +00:00 · 2008-03-27 00:18:56 +00:00 · 564b60af35
parent ff0e77e824
commit 564b60af35
2 changed files with 21 additions and 20 deletions
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.262 2008/02/06 03:20:51 matt Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.263 2008/03/27 00:18:56 cube Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -98,7 +98,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.262 2008/02/06 03:20:51 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.263 2008/03/27 00:18:56 cube Exp $");

 #include "opt_inet.h"
 #include "opt_gateway.h"
@ -1954,17 +1954,17 @@ ip_forward(struct mbuf *m, int srcrt)
 	case EMSGSIZE:
 		type = ICMP_UNREACH;
 		code = ICMP_UNREACH_NEEDFRAG;
-#if !defined(IPSEC) && !defined(FAST_IPSEC)
-		if ((rt = rtcache_validate(&ipforward_rt)) != NULL)
-			destmtu = rt->rt_ifp->if_mtu;
-#else
-		/*
-		 * If the packet is routed over IPsec tunnel, tell the
-		 * originator the tunnel MTU.
-		 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
-		 * XXX quickhack!!!
-		 */
+
 		if ((rt = rtcache_validate(&ipforward_rt)) != NULL) {
+
+#if defined(IPSEC) || defined(FAST_IPSEC)
+			/*
+			 * If the packet is routed over IPsec tunnel, tell the
+			 * originator the tunnel MTU.
+			 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
+			 * XXX quickhack!!!
+			 */
+
 			struct secpolicy *sp;
 			int ipsecerror;
 			size_t ipsechdr;
@ -1973,10 +1973,11 @@ ip_forward(struct mbuf *m, int srcrt)
 			sp = ipsec4_getpolicybyaddr(mcopy,
 			    IPSEC_DIR_OUTBOUND, IP_FORWARDING,
 			    &ipsecerror);
+#endif

-			if (sp == NULL)
-				destmtu = rt->rt_ifp->if_mtu;
-			else {
+			destmtu = rt->rt_ifp->if_mtu;
+#if defined(IPSEC) || defined(FAST_IPSEC)
+			if (sp != NULL) {
 				/* count IPsec header size */
 				ipsechdr = ipsec4_hdrsiz(mcopy,
 				    IPSEC_DIR_OUTBOUND, NULL);
@ -2005,8 +2006,8 @@ ip_forward(struct mbuf *m, int srcrt)
 				KEY_FREESP(&sp);
 #endif
 			}
+#endif /*defined(IPSEC) || defined(FAST_IPSEC)*/
 		}
-#endif /*IPSEC*/
 		ipstat.ips_cantfrag++;
 		break;

--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_subr.c,v 1.224 2008/02/29 07:39:17 matt Exp $	*/
+/*	$NetBSD: tcp_subr.c,v 1.225 2008/03/27 00:18:56 cube Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -98,7 +98,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.224 2008/02/29 07:39:17 matt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.225 2008/03/27 00:18:56 cube Exp $");

 #include "opt_inet.h"
 #include "opt_ipsec.h"
@ -1757,7 +1757,7 @@ tcp_mtudisc(struct inpcb *inp, int errno)
 		/*
 		 * Resend unacknowledged packets.
 		 */
-		tp->snd_nxt = tp->snd_una;
+		tp->snd_nxt = tp->sack_newdata = tp->snd_una;
 		tcp_output(tp);
 	}
 }
@ -1814,7 +1814,7 @@ tcp6_mtudisc(struct in6pcb *in6p, int errno)
 		/*
 		 * Resend unacknowledged packets.
 		 */
-		tp->snd_nxt = tp->snd_una;
+		tp->snd_nxt = tp->sack_newdata = tp->snd_una;
 		tcp_output(tp);
 	}
 }