diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2008-08-21 23:05:31 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2008-08-21 23:05:31 +0000 |
commit | 71eb026afc1294f921fa61b5b714b8b41bfe9993 (patch) | |
tree | 1a3f20cd0cbed4d0b7e124c4e9e444bdefaf4a36 /sys | |
parent | 4fc786e90318d3dca339a7d33d5c0914af851670 (diff) |
Assign the ip and ip6 pointers in ipsp_process_packet() only if a
header of the matching address family is available. Especially do
not read ip->ip_off from an IPv6 packet header.
ok markus
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet/ipsec_output.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index 6ac50774761..9f993c073be 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.39 2007/06/01 00:52:38 henning Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.40 2008/08/21 23:05:30 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -185,17 +185,20 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready) } #ifdef INET - ip = mtod(m, struct ip *); + if (af == AF_INET) { + ip = mtod(m, struct ip *); - /* - * This is not a bridge packet, remember if we - * had IP_DF. - */ - setdf = ip->ip_off & htons(IP_DF); + /* + * This is not a bridge packet, remember if we + * had IP_DF. + */ + setdf = ip->ip_off & htons(IP_DF); + } #endif /* INET */ #ifdef INET6 - ip6 = mtod(m, struct ip6_hdr *); + if (af == AF_INET6) + ip6 = mtod(m, struct ip6_hdr *); #endif /* INET6 */ } |