D22557.id64882.diff
No OneTemporary
Actions

Size

1 KB

Referenced Files

None

Subscribers

None

D22557.id64882.diff
View Options

	Index: sys/netipsec/xform_esp.c
	===================================================================
	--- sys/netipsec/xform_esp.c
	+++ sys/netipsec/xform_esp.c
	@@ -620,20 +620,29 @@
	/* Restore the Next Protocol field */
	m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);

	- switch (saidx->dst.sa.sa_family) {
	+ /* Silently drop packet if next_header is IPPROTO_NONE (RFC 4303) */
	+ if (lastthree[2] != IPPROTO_NONE)
	+ {
	+ switch (saidx->dst.sa.sa_family) {
	#ifdef INET6
	- case AF_INET6:
	- error = ipsec6_common_input_cb(m, sav, skip, protoff);
	- break;
	+ case AF_INET6:
	+ error = ipsec6_common_input_cb(m, sav, skip, protoff);
	+ break;
	#endif
	#ifdef INET
	- case AF_INET:
	- error = ipsec4_common_input_cb(m, sav, skip, protoff);
	- break;
	+ case AF_INET:
	+ error = ipsec4_common_input_cb(m, sav, skip, protoff);
	+ break;
	#endif
	- default:
	- panic("%s: Unexpected address family: %d saidx=%p", __func__,
	- saidx->dst.sa.sa_family, saidx);
	+ default:
	+ panic("%s: Unexpected address family: %d saidx=%p", __func__,
	+ saidx->dst.sa.sa_family, saidx);
	+ }
	+ }
	+ else
	+ {
	+ error = 0;
	+ goto bad;
	}
	CURVNET_RESTORE();
	return error;