diff options
| author | David Gwynne <dlg@cvs.openbsd.org> | 2009-03-31 01:21:30 +0000 |
|---|---|---|
| committer | David Gwynne <dlg@cvs.openbsd.org> | 2009-03-31 01:21:30 +0000 |
| commit | 65ed0dcb6076e246d39ecdea85f9f3341844daac (patch) | |
| tree | eaed9bb75bb0720a3bddacc3ab4e962bd2fb7158 /sys/net | |
| parent | 2203b6a52fc2a70b8f6ecaf03de94b0cc56bc85a (diff) | |
do not include space in the end of the from for a hmac. after discussion
with deraadt@, mcbride@, and mpf@ it is obvious that a hmac doesnt make
sense for pfsync.
this also firms up some of the input parsing so it handles short frames a
bit better.
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/if_pfsync.c | 25 | ||||
| -rw-r--r-- | sys/net/if_pfsync.h | 4 |
2 files changed, 10 insertions, 19 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 5aa850a382b..d7d17080896 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.118 2009/03/23 06:19:59 dlg Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.119 2009/03/31 01:21:29 dlg Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -89,8 +89,7 @@ #define PFSYNC_MINPKT ( \ sizeof(struct ip) + \ sizeof(struct pfsync_header) + \ - sizeof(struct pfsync_subheader) + \ - sizeof(struct pfsync_eof)) + sizeof(struct pfsync_subheader)) struct pfsync_pkt { struct ip *ip; @@ -98,8 +97,6 @@ struct pfsync_pkt { u_int8_t flags; }; -int pfsync_input_hmac(struct mbuf *, int); - int pfsync_upd_tcp(struct pf_state *, struct pfsync_state_peer *, struct pfsync_state_peer *); @@ -622,7 +619,7 @@ pfsync_input(struct mbuf *m, ...) struct pfsync_header *ph; struct pfsync_subheader subh; - int offset; + int offset, len; int rv; pfsyncstats.pfsyncs_ipackets++; @@ -667,13 +664,11 @@ pfsync_input(struct mbuf *m, ...) pfsyncstats.pfsyncs_badver++; goto done; } - -#if 0 - if (pfsync_input_hmac(m, offset) != 0) { - /* XXX stats */ + len = ntohs(ph->len) + offset; + if (m->m_pkthdr.len < len) { + pfsyncstats.pfsyncs_badlen++; goto done; } -#endif /* Cheaper to grab this now than having to mess with mbufs later */ pkt.ip = ip; @@ -684,7 +679,7 @@ pfsync_input(struct mbuf *m, ...) pkt.flags |= PFSYNC_SI_CKSUM; offset += sizeof(*ph); - for (;;) { + while (offset <= len - sizeof(subh)) { m_copydata(m, offset, sizeof(subh), (caddr_t)&subh); offset += sizeof(subh); @@ -1314,8 +1309,8 @@ int pfsync_in_eof(struct pfsync_pkt *pkt, struct mbuf *m, int offset, int count) { /* check if we are at the right place in the packet */ - if (offset != m->m_pkthdr.len - sizeof(struct pfsync_eof)) - pfsyncstats.pfsyncs_badact++; + if (offset != m->m_pkthdr.len) + pfsyncstats.pfsyncs_badlen++; /* we're done. free and let the caller return */ m_freem(m); @@ -1733,8 +1728,6 @@ pfsync_sendout(void) subh->action = PFSYNC_ACT_EOF; subh->count = htons(1); - /* XXX write checksum in EOF here */ - /* we're done, let's put it on the wire */ #if NBPFILTER > 0 if (ifp->if_bpf) { diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h index fae33616dc7..2c124276cbd 100644 --- a/sys/net/if_pfsync.h +++ b/sys/net/if_pfsync.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.h,v 1.36 2009/02/16 00:31:25 dlg Exp $ */ +/* $OpenBSD: if_pfsync.h,v 1.37 2009/03/31 01:21:29 dlg Exp $ */ /* * Copyright (c) 2001 Michael Shalayeff @@ -100,8 +100,6 @@ * | ... | * +----------------------------+ * | EOF pfsync_subheader | - * +----------------------------+ - * | HMAC | * +============================+ */ |