Skip SPD lookups for short packets on IPsec-enabled bridge

When short packets are sent to the bridge with IPsec enabled,
an incorrect error path can be taken which leads to a lookup
of an SPD entry using an uninitialized SPI. Most of the time
this will fail, however there's a chance that an existing SPD
entry corresponds to the provided SPI which leads to use of
another uninitialized variable used to offset the IP or IPv6
header in order to get to the security protocol header.

ESP performs packet length checks and will fail when such
packets will reach it, but AH and IPComp don't have similar
checks and are affected the most.

CID 1452946, 1452957; Severity: Major

OK millert, visa, bluhm

1 files changed, 3 insertions, 3 deletions

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 0e048205475..64e5a7f57dc 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bridge.c,v 1.297 2017/05/16 12:24:01 mpi Exp $	*/
+/*	$OpenBSD: if_bridge.c,v 1.298 2017/08/17 10:14:08 mikeb Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -1406,7 +1406,7 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 		switch (af) {
 		case AF_INET:
 			if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t))
-				break;
+				goto skiplookup;
 
 			ip = mtod(m, struct ip *);
 			proto = ip->ip_p;
@@ -1427,7 +1427,7 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 #ifdef INET6
 		case AF_INET6:
 			if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t))
-				break;
+				goto skiplookup;
 
 			ip6 = mtod(m, struct ip6_hdr *);