d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ipsec: Improve validation of PMTU

Browse Source 
Currently there is no upper bound on the PMTU value that is accepted.
Update hostcache only if the new pmtu is smaller than the current entry
and the link MTU.

Approved by:	mw(mentor)
Sponsored by:	Stormshield
Obtained from:	Semihalf
Differential Revision: https://reviews.freebsd.org/D35872
This commit is contained in:
Kornel Dulęba 2022-07-27 16:12:34 +02:00
parent 82042465c3
commit 863871d369
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sys/netipsec/ipsec_input.c
View File

@ -276,6 +276,7 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v)
struct icmp *icp;
struct ip *ip = v;
uint32_t pmtu, spi;
uint32_t max_pmtu;
uint8_t proto;
if (code != PRC_MSGSIZE || ip == NULL)
@ -304,7 +305,15 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v)
memset(&inc, 0, sizeof(inc));
inc.inc_faddr = satosin(sa)->sin_addr;
tcp_hc_updatemtu(&inc, pmtu);
/* Update pmtu only if its smaller than the current one. */
max_pmtu = tcp_hc_getmtu(&inc);
if (max_pmtu == 0)
max_pmtu = tcp_maxmtu(&inc, NULL);
if (pmtu < max_pmtu)
tcp_hc_updatemtu(&inc, pmtu);
return (0);
}