Page MenuHomeFreeBSD
Files F105771777

D33227.id99909.diff
No OneTemporary
Actions

D33227.id99909.diff
View Options

Index: sys/netinet/tcp_syncache.c
===================================================================
--- sys/netinet/tcp_syncache.c
+++ sys/netinet/tcp_syncache.c
@@ -1514,19 +1514,25 @@
#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
/*
- * If listening socket requested TCP digests, check that received
- * SYN has signature and it is correct. If signature doesn't match
- * or TCP_SIGNATURE support isn't enabled, drop the packet.
+ * When the socket is TCP-MD5 enabled check that,
+ * - a signed packet is valid
+ * - a non-signed packet does not have a security association
+ *
+ * If a signed packet fails validation or a non-signed packet has a
+ * security association, the packet will be dropped.
*/
if (ltflags & TF_SIGNATURE) {
- if ((to->to_flags & TOF_SIGNATURE) == 0) {
- TCPSTAT_INC(tcps_sig_err_nosigopt);
- goto done;
+ if (to->to_flags & TOF_SIGNATURE) {
+ if (!TCPMD5_ENABLED() ||
+ TCPMD5_INPUT(m, th, to->to_signature) != 0)
+ goto done;
+ } else {
+ if (TCPMD5_ENABLED() &&
+ TCPMD5_INPUT(m, NULL, NULL) != ENOENT)
+ goto done;
}
- if (!TCPMD5_ENABLED() ||
- TCPMD5_INPUT(m, th, to->to_signature) != 0)
- goto done;
- }
+ } else if (to->to_flags & TOF_SIGNATURE)
+ goto done;
#endif /* TCP_SIGNATURE */
/*
* See if we already have an entry for this connection.
@@ -1724,11 +1730,11 @@
}
#if defined(IPSEC_SUPPORT) || defined(TCP_SIGNATURE)
/*
- * If listening socket requested TCP digests, flag this in the
+ * If the incoming packet has an MD5 signature, flag this in the
* syncache so that syncache_respond() will do the right thing
* with the SYN+ACK.
*/
- if (ltflags & TF_SIGNATURE)
+ if (to->to_flags & TOF_SIGNATURE)
sc->sc_flags |= SCF_SIGNATURE;
#endif /* TCP_SIGNATURE */
if (to->to_flags & TOF_SACKPERM)
Index: sys/netipsec/xform_tcp.c
===================================================================
--- sys/netipsec/xform_tcp.c
+++ sys/netipsec/xform_tcp.c
@@ -269,6 +269,11 @@
KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
return (ENOENT);
}
+ if (buf == NULL) {
+ key_freesav(&sav);
+ KMOD_TCPSTAT_INC(tcps_sig_err_nosigopt);
+ return (EACCES);
+ }
/*
* tcp_input() operates with TCP header fields in host
* byte order. We expect them in network byte order.

File Metadata

Mime Type
text/plain
Expires
Sat, Dec 21, 11:44 AM (17 h, 25 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15540985
Default Alt Text
D33227.id99909.diff (2 KB)

Event Timeline