diff options
author | Robert Wing <rew@FreeBSD.org> | 2022-01-09 01:07:50 +0000 |
---|---|---|
committer | Robert Wing <rew@FreeBSD.org> | 2022-01-09 01:32:14 +0000 |
commit | eb18708ec8c7e1de6a05aba41971659549991b10 (patch) | |
tree | c18c11bf230e1740f51f0e1744f4b5c32d91cce4 /sys/netipsec | |
parent | 91d388119ae229702538b96d79cf76556cf0ecf4 (diff) | |
download | src-eb18708ec8c7e1de6a05aba41971659549991b10.tar.gz src-eb18708ec8c7e1de6a05aba41971659549991b10.zip |
syncache: accept packet with no SA when TCP_MD5SIG is set
When TCP_MD5SIG is set on a socket, all packets are dropped that don't
contain an MD5 signature. Relax this behavior to accept a non-signed
packet when a security association doesn't exist with the peer.
This is useful when a listen socket set with TCP_MD5SIG wants to handle
connections protected with and without MD5 signatures.
Reviewed by: bz (previous version)
Sponsored by: nepustil.net
Sponsored by: Klara Inc.
Differential Revision: https://reviews.freebsd.org/D33227
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/xform_tcp.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c index b53544cd00fb..ce2552f0a205 100644 --- a/sys/netipsec/xform_tcp.c +++ b/sys/netipsec/xform_tcp.c @@ -269,6 +269,11 @@ tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf) KMOD_TCPSTAT_INC(tcps_sig_err_buildsig); return (ENOENT); } + if (buf == NULL) { + key_freesav(&sav); + KMOD_TCPSTAT_INC(tcps_sig_err_nosigopt); + return (EACCES); + } /* * tcp_input() operates with TCP header fields in host * byte order. We expect them in network byte order. |