Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
258,672 Commits 606 Branches 0 Tags 3.1 GiB
C 85.3%
Roff 7.2%
Assembly 3.1%
Shell 1.7%
Makefile 1.2%
Other 0.9%
Go to file
maxv fbb9ed35f8 When reassembling IPv4/IPv6 packets, ensure each fragment has been subject 
to the same IPsec processing. That is to say, that all fragments are ESP,
or AH, or AH+ESP, or none.

The reassembly mechanism can be used both on the wire and inside an IPsec
tunnel, so we need to make sure all fragments of a packet were received
on only one side.

Even though I haven't tried, I believe there are configurations where it
would be possible for an attacker to inject an unencrypted fragment into a
legitimate stream of already-decrypted-and-authenticated fragments.

Typically on IPsec gateways with ESP tunnels, where we can encapsulate
fragments (as opposed to the general case, where we fragment encapsulated
data).

Note, for the record: a funnier thing, under IPv4, would be to send a
zero-sized !MFF fragment at the head of the packet, and manage to trigger
an ICMP error; M_DECRYPTED gets lost by the reassembly, and ICMP will reply
with the packet in clear (not encrypted).
 		2018-05-15 19:16:38 +00:00
bin Stop using the register keyword in ksh(1) 2018-05-08 16:37:59 +00:00
common Complete previous by complteley removing the _DIAGASSERT from memmove - 2018-02-12 11:14:15 +00:00
compat fix a comment. 2018-02-06 10:00:00 +00:00
crypto remove definition of LUA_USE_APICHECK, it is a build time option for Lua 2018-05-11 20:19:25 +00:00
dist/pf fix two issues found by GCC 6.4: 2018-02-04 08:44:36 +00:00
distrib Add the audio mixer specification to section 7 of the manual. 2018-05-15 00:54:01 +00:00
doc new acpica 2018-05-05 00:13:01 +00:00
etc Create bpf and openfirm devices 2018-04-28 12:45:03 +00:00
external Add firmware for use with bwfm at pci. 2018-05-11 07:43:42 +00:00
extsrc
games make fortune fatter 2018-05-08 05:24:22 +00:00
include Mark in string.h: memccpy(3) and strdup(3) as _POSIX_C_SOURCE >= 2001 2018-02-20 02:35:24 +00:00
lib file system police; remove trailing whitespace; merge two error sections 2018-05-05 06:39:10 +00:00
libexec remove definition of LUA_USE_APICHECK, it is a build time option for Lua 2018-05-11 20:19:25 +00:00
regress Don't test call gates, they are not supported anymore. 2017-08-30 15:46:19 +00:00
rescue Add progress(1) into /rescue. 2018-04-11 00:26:38 +00:00
sbin With the change to use getpass_r the 128 byte passphrase limit no 2018-05-09 20:23:35 +00:00
share Various improvements, more markup, typo fixes. 2018-05-15 09:30:01 +00:00
sys When reassembling IPv4/IPv6 packets, ensure each fragment has been subject 2018-05-15 19:16:38 +00:00
tests Revert previous change in t_ptrace.c 2018-05-14 12:44:40 +00:00
tools For EXTERNAL_TOOLCHAIN, MKLLVM=yes needs to build only tablegen. 2018-05-09 13:21:27 +00:00
usr.bin Add an optional '-p pidfile' parameter. 2018-05-15 01:41:29 +00:00
usr.sbin Use the correct tag options. 2018-05-15 04:25:25 +00:00
BUILDING Re-add files that were accidentally deleted in my previous commit. 2018-05-02 07:34:44 +00:00
Makefile Re-add files that were accidentally deleted in my previous commit. 2018-05-02 07:34:44 +00:00
Makefile.inc Re-add files that were accidentally deleted in my previous commit. 2018-05-02 07:34:44 +00:00
UPDATING Re-add files that were accidentally deleted in my previous commit. 2018-05-02 07:34:44 +00:00
build.sh Re-add files that were accidentally deleted in my previous commit. 2018-05-02 07:34:44 +00:00