Add support for dummy ESP packets with next header field equal to

IPPROTO_NONE. According to RFC4303 2.6 they should be silently dropped. Submitted by: aurelien.cazuc.external_stormshield.eu MFC after: 10 days Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D22557
2019-11-27 10:24:46 +00:00 · 2019-11-27 10:24:46 +00:00 · 3f44ee8e99
commit 3f44ee8e99
parent 1861313623
1 changed files with 7 additions and 0 deletions
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@ -614,6 +614,13 @@ esp_input_cb(struct cryptop *crp)
 		}
 	}

+	/*
+	 * RFC4303 2.6:
+	 * Silently drop packet if next header field is IPPROTO_NONE.
+	 */
+	if (lastthree[2] == IPPROTO_NONE)
+		goto bad;
+
 	/* Trim the mbuf chain to remove trailing authenticator and padding */
 	m_adj(m, -(lastthree[1] + 2));