Module Name: src
Committed By: maxv
Date: Wed Mar 21 10:08:16 UTC 2018
Modified Files:
src/sys/net/npf: npf_inet.c
Log Message:
Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets.
AH must be considered as the payload, otherwise a
block all
pass in proto ah from any
pass out proto ah from any
configuration will actually block everything, because NPF checks the
protocol against the one found after AH, and not AH itself.
In addition it may have been a problem for stateful connections; an AH
packet sent by an attacker with an incorrect authentication and a correct
TCP/UDP/whatever payload from an active connection could manage to change
NPF's FSM state, which would perhaps have altered the legitimate
connection with the authenticated remote IPsec host.
Note that IPv4 already doesn't go beyond AH, which is the correct
behavior.
To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.43 src/sys/net/npf/npf_inet.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
