Page MenuHomeFreeBSD
Differential D22557

Add ESP dummy frames support
ClosedPublic
Actions

Authored by anaelle.cazuc_stormshield.eu on Nov 26 2019, 9:45 AM.
Tags
None
Referenced Files
F151138955: D22557.id64882.diff
Mon, Apr 6, 8:45 AM
Unknown Object (File)
Tue, Mar 31, 6:55 AM
Unknown Object (File)
Tue, Mar 31, 12:22 AM
Unknown Object (File)
Mon, Mar 30, 5:59 AM
Unknown Object (File)
Fri, Mar 20, 1:51 PM
Unknown Object (File)
Tue, Mar 17, 7:21 PM
Unknown Object (File)
Wed, Mar 11, 6:49 PM
Unknown Object (File)
Mar 6 2026, 1:21 AM
View All Files
Subscribers
ae
imp

Details

Reviewers
ae
Commits
rS355129: Add support for dummy ESP packets with next header field equal to
Summary

This patch provides support of dummy frames as specified by RFC 4303
Packets with IPPROTO_NONE are silently dropped just before ipsecX_common_input_cb

Test Plan

In manual testing, when generating packets with IPPROTO_NONE as next_header, packets are correctly dropped

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

anaelle.cazuc_stormshield.eu created this revision.Nov 26 2019, 9:45 AM
Herald added a subscriber: ae. · View Herald TranscriptNov 26 2019, 9:45 AM
ae added inline comments.Nov 26 2019, 3:51 PM
sys/netipsec/xform_esp.c
625 ↗(On Diff #64882)

This indentation does not conform to style(9). I think you can just use

if (lastthree[2] == IPPROTO_NONE)
      goto bad;

the error variable should already be zero.

anaelle.cazuc_stormshield.eu updated this revision to Diff 64889.Nov 26 2019, 3:59 PM

Remarks from ae

ae accepted this revision.Nov 27 2019, 12:45 AM
This revision is now accepted and ready to land.Nov 27 2019, 12:45 AM
anaelle.cazuc_stormshield.eu added a comment.Nov 27 2019, 8:12 AM

Hi @ae ,

Would you prefer commit it yourself or let fabient commit it ?
If you commit it yourself, please mention Stormshield as sponsor.

Thanks

Closed by commit rS355129: Add support for dummy ESP packets with next header field equal to (authored by ae). · Explain WhyNov 27 2019, 10:24 AM
This revision was automatically updated to reflect the committed changes.
ae added a commit: rS355129: Add support for dummy ESP packets with next header field equal to.
Herald added a subscriber: imp. · View Herald TranscriptNov 27 2019, 10:24 AM

Revision Contents
Changeset List

PathSize
head/
sys/
netipsec/
7 lines

Diff 64933

View Options

head/sys/netipsec/xform_esp.c

Loading...