Page MenuHomeFreeBSD
Differential D22557

Add ESP dummy frames support
ClosedPublic
Actions

Authored by aurelien.cazuc.external_stormshield.eu on Nov 26 2019, 9:45 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Apr 28, 3:11 PM
Unknown Object (File)
Sun, Apr 27, 12:31 PM
Unknown Object (File)
Tue, Apr 22, 11:20 PM
Unknown Object (File)
Sun, Apr 20, 9:31 AM
Unknown Object (File)
Mon, Apr 14, 11:36 AM
Unknown Object (File)
Mon, Apr 14, 4:49 AM
Unknown Object (File)
Sun, Apr 13, 11:42 PM
Unknown Object (File)
Sun, Apr 13, 10:35 PM
View All 87 Files
Subscribers
ae
imp

Details

Reviewers
ae
Commits
rS355129: Add support for dummy ESP packets with next header field equal to
Summary

This patch provides support of dummy frames as specified by RFC 4303
Packets with IPPROTO_NONE are silently dropped just before ipsecX_common_input_cb

Test Plan

In manual testing, when generating packets with IPPROTO_NONE as next_header, packets are correctly dropped

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

aurelien.cazuc.external_stormshield.eu created this revision.Nov 26 2019, 9:45 AM
Herald added a subscriber: ae. · View Herald TranscriptNov 26 2019, 9:45 AM
ae added inline comments.Nov 26 2019, 3:51 PM
sys/netipsec/xform_esp.c
625 ↗(On Diff #64882)

This indentation does not conform to style(9). I think you can just use

if (lastthree[2] == IPPROTO_NONE)
      goto bad;

the error variable should already be zero.

aurelien.cazuc.external_stormshield.eu updated this revision to Diff 64889.Nov 26 2019, 3:59 PM

Remarks from ae

ae accepted this revision.Nov 27 2019, 12:45 AM
This revision is now accepted and ready to land.Nov 27 2019, 12:45 AM
aurelien.cazuc.external_stormshield.eu added a comment.Nov 27 2019, 8:12 AM

Hi @ae ,

Would you prefer commit it yourself or let fabient commit it ?
If you commit it yourself, please mention Stormshield as sponsor.

Thanks

Closed by commit rS355129: Add support for dummy ESP packets with next header field equal to (authored by ae). · Explain WhyNov 27 2019, 10:24 AM
This revision was automatically updated to reflect the committed changes.
ae added a commit: rS355129: Add support for dummy ESP packets with next header field equal to.
Herald added a subscriber: imp. · View Herald TranscriptNov 27 2019, 10:24 AM

Revision Contents
Changeset List

PathSize
head/
sys/
netipsec/
7 lines

Diff 64933

View Options

head/sys/netipsec/xform_esp.c

Loading...