summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2000-06-19 17:11:33 +0000
committerJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2000-06-19 17:11:33 +0000
commit8dbce7cfc35c2c8490fa9cf261022b83d3baddd2 (patch)
tree3a1fee4ec7904ed653dac22f8e6c0a6cad2c6c14 /sys
parente7a7393c0f5ddb1666a99994ed4ff068af9c8921 (diff)
correct header chasing code. take care of AH length.
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ipsec_input.c44
1 files changed, 29 insertions, 15 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 28e5e72ff82..4c17c487b10 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec_input.c,v 1.27 2000/06/18 19:10:50 angelos Exp $ */
+/* $OpenBSD: ipsec_input.c,v 1.28 2000/06/19 17:11:32 itojun Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
@@ -766,8 +766,9 @@ esp4_input_cb(struct mbuf *m, ...)
int
ah6_input(struct mbuf **mp, int *offp, int proto)
{
- u_int8_t nxt = 0;
+ int l = 0;
int protoff;
+ struct ip6_ext ip6e;
if (*offp < sizeof(struct ip6_hdr))
{
@@ -785,14 +786,20 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
do
{
- protoff += nxt;
- m_copydata(*mp, protoff + offsetof(struct ip6_ext, ip6e_len),
- sizeof(u_int8_t), (caddr_t) &nxt);
- nxt = (nxt + 1) * 8;
- } while (protoff + nxt < *offp);
+ protoff += l;
+ m_copydata(*mp, protoff, sizeof(ip6e), (caddr_t) &ip6e);
+ if (ip6e.ip6e_nxt == IPPROTO_AH)
+ l = (ip6e.ip6e_len + 2) << 2;
+ else
+ l = (ip6e.ip6e_len + 1) << 3;
+#ifdef DIAGNOSTIC
+ if (l <= 0)
+ panic("ah6_input: l went zero or negative");
+#endif
+ } while (protoff + l < *offp);
/* Malformed packet check */
- if (protoff + nxt != *offp)
+ if (protoff + l != *offp)
{
DPRINTF(("ah6_input(): bad packet header chain\n"));
ahstat.ahs_hdrops++;
@@ -854,8 +861,9 @@ bad:
int
esp6_input(struct mbuf **mp, int *offp, int proto)
{
- u_int8_t nxt = 0;
+ int l = 0;
int protoff;
+ struct ip6_ext ip6e;
if (*offp < sizeof(struct ip6_hdr))
{
@@ -873,14 +881,20 @@ esp6_input(struct mbuf **mp, int *offp, int proto)
do
{
- protoff += nxt;
- m_copydata(*mp, protoff + offsetof(struct ip6_ext, ip6e_len),
- sizeof(u_int8_t), (caddr_t) &nxt);
- nxt = (nxt + 1) * 8;
- } while (protoff + nxt < *offp);
+ protoff += l;
+ m_copydata(*mp, protoff, sizeof(ip6e), (caddr_t) &ip6e);
+ if (ip6e.ip6e_nxt == IPPROTO_AH)
+ l = (ip6e.ip6e_len + 2) << 2;
+ else
+ l = (ip6e.ip6e_len + 1) << 3;
+#ifdef DIAGNOSTIC
+ if (l <= 0)
+ panic("esp6_input: l went zero or negative");
+#endif
+ } while (protoff + l < *offp);
/* Malformed packet check */
- if (protoff + nxt != *offp)
+ if (protoff + l != *offp)
{
DPRINTF(("esp6_input(): bad packet header chain\n"));
espstat.esps_hdrops++;