summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2008-08-21 23:05:31 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2008-08-21 23:05:31 +0000
commit71eb026afc1294f921fa61b5b714b8b41bfe9993 (patch)
tree1a3f20cd0cbed4d0b7e124c4e9e444bdefaf4a36 /sys
parent4fc786e90318d3dca339a7d33d5c0914af851670 (diff)
Assign the ip and ip6 pointers in ipsp_process_packet() only if a
header of the matching address family is available. Especially do not read ip->ip_off from an IPv6 packet header. ok markus
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ipsec_output.c19
1 files changed, 11 insertions, 8 deletions
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 6ac50774761..9f993c073be 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec_output.c,v 1.39 2007/06/01 00:52:38 henning Exp $ */
+/* $OpenBSD: ipsec_output.c,v 1.40 2008/08/21 23:05:30 bluhm Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
@@ -185,17 +185,20 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready)
}
#ifdef INET
- ip = mtod(m, struct ip *);
+ if (af == AF_INET) {
+ ip = mtod(m, struct ip *);
- /*
- * This is not a bridge packet, remember if we
- * had IP_DF.
- */
- setdf = ip->ip_off & htons(IP_DF);
+ /*
+ * This is not a bridge packet, remember if we
+ * had IP_DF.
+ */
+ setdf = ip->ip_off & htons(IP_DF);
+ }
#endif /* INET */
#ifdef INET6
- ip6 = mtod(m, struct ip6_hdr *);
+ if (af == AF_INET6)
+ ip6 = mtod(m, struct ip6_hdr *);
#endif /* INET6 */
}