fix KAME PR 296 again, for transport-mode SA only

(shortterm workaround - need revisit for ANY SA)
2000-11-10 01:10:36 +00:00 · 2000-11-10 01:10:36 +00:00 · 970a75f808
parent a7398324e3
commit 970a75f808
1 changed files with 8 additions and 2 deletions
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@ -1,5 +1,5 @@
-/*	$NetBSD: ipsec.c,v 1.30 2000/11/09 17:36:11 itojun Exp $	*/
-/*	$KAME: ipsec.c,v 1.82 2000/11/09 17:34:10 itojun Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.31 2000/11/10 01:10:36 itojun Exp $	*/
+/*	$KAME: ipsec.c,v 1.83 2000/11/09 17:45:30 itojun Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -3095,6 +3095,9 @@ ipsec4_tunnel_validate(ip, nxt0, sav)

 	if (nxt != IPPROTO_IPV4)
 		return 0;
+	/* do not decapsulate if the SA is for transport mode only */
+	if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
+		return 0;
 #ifdef _IP_VHL
 	hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
 #else
@ -3133,6 +3136,9 @@ ipsec6_tunnel_validate(ip6, nxt0, sav)

 	if (nxt != IPPROTO_IPV6)
 		return 0;
+	/* do not decapsulate if the SA is for transport mode only */
+	if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
+		return 0;
 	switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
 	case AF_INET6:
 		sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst);