From 863871d369f8deb687aafa26599d93a6ef7c5e41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kornel=20Dul=C4=99ba?= Date: Wed, 27 Jul 2022 16:12:34 +0200 Subject: [PATCH] ipsec: Improve validation of PMTU Currently there is no upper bound on the PMTU value that is accepted. Update hostcache only if the new pmtu is smaller than the current entry and the link MTU. Approved by: mw(mentor) Sponsored by: Stormshield Obtained from: Semihalf Differential Revision: https://reviews.freebsd.org/D35872 --- sys/netipsec/ipsec_input.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index ce8f1f02b8be..268d8a797c35 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -276,6 +276,7 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v) struct icmp *icp; struct ip *ip = v; uint32_t pmtu, spi; + uint32_t max_pmtu; uint8_t proto; if (code != PRC_MSGSIZE || ip == NULL) @@ -304,7 +305,15 @@ ipsec4_ctlinput(int code, struct sockaddr *sa, void *v) memset(&inc, 0, sizeof(inc)); inc.inc_faddr = satosin(sa)->sin_addr; - tcp_hc_updatemtu(&inc, pmtu); + + /* Update pmtu only if its smaller than the current one. */ + max_pmtu = tcp_hc_getmtu(&inc); + if (max_pmtu == 0) + max_pmtu = tcp_maxmtu(&inc, NULL); + + if (pmtu < max_pmtu) + tcp_hc_updatemtu(&inc, pmtu); + return (0); }