mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-28 16:43:09 +00:00
Code Issues Releases Activity

When we are doing SA lookup for TCP-MD5, check both source and

Browse Source 
destination addresses. Previous code has used only destination address
for lookup. But for inbound packets the source address was used as SA
destination address. Thus only outbound SA were used for both directions.
Now we use addresses from a packet as is, thus SAs for both directions are
needed.

Reported by:	Mike Tancsa
MFC after:	1 week
This commit is contained in:
Andrey V. Elsukov 2017-04-04 13:41:50 +00:00
parent a734ae9c14
commit 9c2b99b912
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=316490
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/netipsec/key.c
View File

@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *saidx)
kdebug_secash(sah, " "));
if (sah->saidx.proto != IPPROTO_TCP)
continue;
if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
!key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
break;
}
if (sah != NULL) {
@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi)
LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
if (sah->saidx.proto != IPPROTO_TCP)
continue;
if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
!key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
break;
}
if (sah != NULL) {