NetBSD Problem Report #44463

From Wolfgang.Stukenbrock@nagler-company.com  Wed Jan 26 10:31:12 2011
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 3B4C763B873
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 26 Jan 2011 10:31:12 +0000 (UTC)
Message-Id: <20110126103102.7B2531E80CE@test-s0.nagler-company.com>
Date: Wed, 26 Jan 2011 11:31:02 +0100 (CET)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: FAST_IPSEC may send icmp-error message for expanded IPCOMP-tunnel packets
X-Send-Pr-Version: 3.95

>Number:         44463
>Category:       kern
>Synopsis:       FAST_IPSEC may send icmp-error message for expanded IPCOMP-tunnel packets
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 26 10:35:00 +0000 2011
>Originator:     Dr. Wolfgang Stukenbrock
>Release:        NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:


System: NetBSD test-s0 4.0 NetBSD 4.0 (NSW-WS) #0: Tue Aug 17 17:28:09 CEST 2010 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
	For the IPSEC implementation the M_DECRYPTED flag is set in both cases (ESP and IPCOMP)
	if a packet is processed.
	This flag is used in /usr/src/sys/netinet/ip_icmp.c (line 246) to avoid sending an icmp error packet.

	In the FAST_IPSEC implementation this flag is only set after ESP processing.
	So if you setup an IPCOMP-only-tunnel, icmp error packets may be generated for the decrypted packet.

	Accedently the M_DECRYPTED flag is used in /usr/src/sys/netipsec/ipsec.c function ipsec_in_reject()
	to detect if a packet has been sucessfully processed by ESP. So this flag cannot be used
	for IPCOMP too in FAST_IPSEC.
>How-To-Repeat:
	Found by a look into the sources.
>Fix:
	I think another flag (e.g. M_IPCOMP_DONE 0x100000) is needed in the set of mbuf-flags, but I'm not shure
	if this is OK. Therefore I've adde no patch up to now.
	This flag should be added to M_COPYFLAGS and M_FLAGS_BITS too - as far as I understand the mbuf processing.

	I this flag is added, it must be checked in ip_icmp.c (line 246) too and set after IPCOMP processing is done
	int /usr/src/sys/netipsec/xform_ipcomp.c function ipcomp_input_cb() prior the call to the macro IPSEC_COMMON_INPUT_CB().
	This would introduce the same semantics in FAST_IPSEC as in IPSEC.
	The flag may be used in the IPSEC part too, but it is not nessesary for the functionality.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.