d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix for an infinite loop in processing ESP, IPv6 packets.

Browse Source 
The control input routine passes a NULL as its void argument when it
has reached the innermost header, which terminates the loop.

Reported by: Pawel Worach <pawel.worach@gmail.com>
Approved by: re
This commit is contained in:
George V. Neville-Neil 2007-09-12 05:54:53 +00:00
parent 45c5d90b65
commit e61a9df52b
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sys/netipsec/ipsec_input.c
View File

@ -761,6 +761,11 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
void
esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
{
struct ip6ctlparam *ip6cp = NULL;
struct mbuf *m = NULL;
struct ip6_hdr *ip6;
int off;
if (sa->sa_family != AF_INET6 ||
sa->sa_len != sizeof(struct sockaddr_in6))
return;
@ -768,10 +773,18 @@ esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
return;
/* if the parameter is from icmp6, decode it. */
if (d != NULL) {
struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d;
struct mbuf *m = ip6cp->ip6c_m;
int off = ip6cp->ip6c_off;
if (d != NULL) {
ip6cp = (struct ip6ctlparam *)d;
m = ip6cp->ip6c_m;
ip6 = ip6cp->ip6c_ip6;
off = ip6cp->ip6c_off;
} else {
m = NULL;
ip6 = NULL;
off = 0; /* calm gcc */
}
if (ip6 != NULL) {
struct ip6ctlparam ip6cp1;