diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 1997-10-01 01:17:31 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 1997-10-01 01:17:31 +0000 |
| commit | e6a803684f50b23e635ba058ed091a539dc56c52 (patch) | |
| tree | f5cdd3fc1cf7b923d09291ce4adef6a7ff4e29f2 | |
| parent | 80491bafc8bc1a777656be85e810492e94e54d80 (diff) | |
verify decryption by checking last padding bytes
| -rw-r--r-- | sys/netinet/ip_esp_old.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/sys/netinet/ip_esp_old.c b/sys/netinet/ip_esp_old.c index f937ab22c6d..64fcf013c8b 100644 --- a/sys/netinet/ip_esp_old.c +++ b/sys/netinet/ip_esp_old.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_old.c,v 1.7 1997/09/30 03:29:50 deraadt Exp $ */ +/* $OpenBSD: ip_esp_old.c,v 1.8 1997/10/01 01:17:30 deraadt Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -444,8 +444,16 @@ esp_old_input(struct mbuf *m, struct tdb *tdb) * blk[7] contains the next protocol, and blk[6] contains the * amount of padding the original chain had. Chop off the * appropriate parts of the chain, and return. + * Verify correct decryption by checking the last padding bytes. */ + if ((blk[6] != blk[5]) && (blk[6] != 0)) + { + log(LOG_ALERT, "esp_old_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + m_freem(m); + return NULL; + } + m_adj(m, -blk[6] - 2); m_adj(m, 4 + xd->edx_ivlen); |