Page MenuHomeFreeBSD
Differential D22557

Add ESP dummy frames support
ClosedPublic
Actions

Authored by aurelien.cazuc.external_stormshield.eu on Nov 26 2019, 9:45 AM.
Tags
None
Referenced Files
F108514622: D22557.id64882.diff
Sat, Jan 25, 7:38 PM
Unknown Object (File)
Sat, Jan 25, 6:25 AM
Unknown Object (File)
Thu, Jan 23, 6:44 PM
Unknown Object (File)
Sat, Jan 18, 5:20 PM
Unknown Object (File)
Fri, Jan 17, 1:48 PM
Unknown Object (File)
Mon, Jan 13, 10:59 AM
Unknown Object (File)
Mon, Jan 13, 12:24 AM
Unknown Object (File)
Dec 26 2024, 2:46 AM
View All 68 Files
Subscribers
ae
imp

Details

Reviewers
ae
Commits
rS355129: Add support for dummy ESP packets with next header field equal to
Summary

This patch provides support of dummy frames as specified by RFC 4303
Packets with IPPROTO_NONE are silently dropped just before ipsecX_common_input_cb

Test Plan

In manual testing, when generating packets with IPPROTO_NONE as next_header, packets are correctly dropped

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

aurelien.cazuc.external_stormshield.eu created this revision.Nov 26 2019, 9:45 AM
Herald added a subscriber: ae. · View Herald TranscriptNov 26 2019, 9:45 AM
ae added inline comments.Nov 26 2019, 3:51 PM
sys/netipsec/xform_esp.c
625 ↗(On Diff #64882)

This indentation does not conform to style(9). I think you can just use

if (lastthree[2] == IPPROTO_NONE)
      goto bad;

the error variable should already be zero.

aurelien.cazuc.external_stormshield.eu updated this revision to Diff 64889.Nov 26 2019, 3:59 PM

Remarks from ae

ae accepted this revision.Nov 27 2019, 12:45 AM
This revision is now accepted and ready to land.Nov 27 2019, 12:45 AM
aurelien.cazuc.external_stormshield.eu added a comment.Nov 27 2019, 8:12 AM

Hi @ae ,

Would you prefer commit it yourself or let fabient commit it ?
If you commit it yourself, please mention Stormshield as sponsor.

Thanks

Closed by commit rS355129: Add support for dummy ESP packets with next header field equal to (authored by ae). · Explain WhyNov 27 2019, 10:24 AM
This revision was automatically updated to reflect the committed changes.
ae added a commit: rS355129: Add support for dummy ESP packets with next header field equal to.
Herald added a subscriber: imp. · View Herald TranscriptNov 27 2019, 10:24 AM

Revision Contents
Changeset List

PathSize
head/
sys/
netipsec/
7 lines

Diff 64933

View Options

head/sys/netipsec/xform_esp.c

Loading...