[Openswan dev] wrong length check for ESP packets in transport mode
Tino Keitel
tino.keitel at innominate.com
Thu Apr 26 14:01:06 EDT 2007
Hi folks,
I had problems with very short UDP packets (2 bytes of payload) in
IPsec transport mode, they were dropped in ipsec_esp.c Packets with a
longer payload worked, tough.
It looks like this length check in ipsec_esp.c:ipsec_rcv_esp_checks()
is wrong:
if(skb->len < (irs->hard_header_len + sizeof(struct iphdr) + sizeof(struct esphdr))) {
KLIPS_PRINT(debug_rcv & DB_RX_INAU,
"klips_debug:ipsec_rcv: "
"runt esp packet of skb->len=%d received
from %s, dropped.\n",
skb->len,
irs->ipsaddr_txt);
if(irs->stats) {
irs->stats->rx_errors++;
}
return IPSEC_RCV_BADLEN;
}
At this point, the layer 2 part is already thrown away and substracted
from skb->len (see [1] and [2]), so the hard_header_len shouldn't be
included in the minimum length calculation.
This also seems very likely as irs->hard_header_len is reported as 14.
UDP packets that contain up to 6 bytes of playload are dropped, packets
with 7 bytes of payload and more are accepted.
8 (UDP header) + 6 (payload) = 14.
Regards,
Tino
[1] linux/net/ipv4/ip_input.c:ip_local_deliver_finish()
[2] linux/include/linux/skbuff.h:__skb_pull()
--
Tino Keitel
Software Engineer
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.6392-3309
Fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin
http://www.innominate.com/
Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
More information about the Dev
mailing list