Author: vanhu
Date: Thu Oct 1 15:33:53 2009
New Revision: 197674
URL: http://svn.freebsd.org/changeset/base/197674
Log:
Changed an IPSEC_ASSERT to a simple test, as such invalid packets
may come from outside without being discarded before.
Submitted by: aurelien.an...@netasq.com
Reviewed by: bz (secteam)
Obtained from: NETASQ
MFC after: 1m
Modified:
head/sys/netipsec/xform_esp.c
Modified: head/sys/netipsec/xform_esp.c
==============================================================================
--- head/sys/netipsec/xform_esp.c Thu Oct 1 15:28:40 2009
(r197673)
+++ head/sys/netipsec/xform_esp.c Thu Oct 1 15:33:53 2009
(r197674)
@@ -282,9 +282,15 @@ esp_input(struct mbuf *m, struct secasva
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
- IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0,
- ("misaligned packet, skip %u pkt len %u",
- skip, m->m_pkthdr.len));
+
+ /* Valid IP Packet length ? */
+ if ( (skip&3) || (m->m_pkthdr.len&3) ){
+ DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
+ __func__, skip, m->m_pkthdr.len));
+ V_espstat.esps_badilen++;
+ m_freem(m);
+ return EINVAL;
+ }
/* XXX don't pullup, just copy header */
IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
