diff options
author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-05-12 02:21:15 +0000 |
---|---|---|
committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-05-12 02:21:15 +0000 |
commit | b16d47088e1416b3dc4d220ba3172be37b1f4f38 (patch) | |
tree | e90fa0ecf91c2f6f2485f38e84bc22c639146fea /sys/net | |
parent | 05de2ef6012d56fcdf31b2bc6ec425ea015011b4 (diff) |
correct AH header chasing. ok dhartmei@openbsd
Diffstat (limited to 'sys/net')
-rw-r--r-- | sys/net/pf.c | 29 |
1 files changed, 13 insertions, 16 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 910798a6cd6..e41cf344e23 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.207 2002/05/12 00:54:56 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.208 2002/05/12 02:21:14 itojun Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -101,15 +101,6 @@ struct pf_port_node { }; LIST_HEAD(pf_port_list, pf_port_node); -/* structure for ipsec and ipv6 option header template */ -struct _opt6 { - u_int8_t opt6_nxt; /* next header */ - u_int8_t opt6_hlen; /* header extension length */ - u_int16_t _pad; - u_int32_t ah_spi; /* security parameter index - for authentication header */ -}; - /* * Global variables */ @@ -4757,7 +4748,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, case IPPROTO_ROUTING: case IPPROTO_DSTOPTS: { /* get next header and header length */ - struct _opt6 opt6; + struct ip6_ext opt6; if (!pf_pull_hdr(m, off2, &opt6, sizeof(opt6), NULL, NULL, pd2.af)) { @@ -4765,8 +4756,11 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, ("pf: ICMPv6 short opt\n")); return(PF_DROP); } - pd2.proto = opt6.opt6_nxt; - off2 += (opt6.opt6_hlen + 1) * 8; + if (pd2.proto == IPPROTO_AH) + off2 += (opt6.ip6e_len + 2) * 4; + else + off2 += (opt6.ip6e_len + 1) * 8; + pd2.proto = opt6.ip6e_nxt; /* goto the next header */ break; } @@ -5694,7 +5688,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) case IPPROTO_ROUTING: case IPPROTO_DSTOPTS: { /* get next header and header length */ - struct _opt6 opt6; + struct ip6_ext opt6; if (!pf_pull_hdr(m, off, &opt6, sizeof(opt6), NULL, NULL, pd.af)) { @@ -5705,8 +5699,11 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) log = 1; goto done; } - pd.proto = opt6.opt6_nxt; - off += (opt6.opt6_hlen + 1) * 8; + if (pd.proto == IPPROTO_AH) + off += (opt6.ip6e_len + 2) * 4; + else + off += (opt6.ip6e_len + 1) * 8; + pd.proto = opt6.ip6e_nxt; /* goto the next header */ break; } |