[Openswan dev] wrong length check for ESP packets in transport mode

Tino Keitel tino.keitel at innominate.com
Thu Apr 26 14:01:06 EDT 2007


Hi folks,

I had problems with very short UDP packets (2 bytes of payload) in
IPsec transport mode, they were dropped in ipsec_esp.c Packets with a
longer payload worked, tough.

It looks like this length check in ipsec_esp.c:ipsec_rcv_esp_checks()
is wrong:

if(skb->len < (irs->hard_header_len + sizeof(struct iphdr) + sizeof(struct esphdr))) {
	KLIPS_PRINT(debug_rcv & DB_RX_INAU,
		    "klips_debug:ipsec_rcv: "
		    "runt esp packet of skb->len=%d received
		    from %s, dropped.\n",
		    skb->len,
		    irs->ipsaddr_txt);
	if(irs->stats) {
		irs->stats->rx_errors++;
	}
	return IPSEC_RCV_BADLEN;
}

At this point, the layer 2 part is already thrown away and substracted
from skb->len (see [1] and [2]), so the hard_header_len shouldn't be
included in the minimum length calculation.

This also seems very likely as irs->hard_header_len is reported as 14.
UDP packets that contain up to 6 bytes of playload are dropped, packets
with 7 bytes of payload and more are accepted.

8 (UDP header) + 6 (payload) = 14.

Regards,
Tino

[1] linux/net/ipv4/ip_input.c:ip_local_deliver_finish()
[2] linux/include/linux/skbuff.h:__skb_pull()

-- 
Tino Keitel
Software Engineer
 
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.6392-3309
Fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin
http://www.innominate.com/

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum


More information about the Dev mailing list