Module Name: src
Committed By: maxv
Date: Fri Mar 23 08:34:57 UTC 2018
Modified Files:
src/sys/net/npf: npf_alg_icmp.c
Log Message:
In addition to checking L4 in the cache, here we also need to check the
protocol. The NPF entry point does not ensure that
ICMPv6 can be set only in IPv6
ICMPv4 can be set only in IPv4
So we could have ICMPv6 in IPv4.
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_alg_icmp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_alg_icmp.c
diff -u src/sys/net/npf/npf_alg_icmp.c:1.29 src/sys/net/npf/npf_alg_icmp.c:1.30
--- src/sys/net/npf/npf_alg_icmp.c:1.29 Thu Mar 22 12:16:11 2018
+++ src/sys/net/npf/npf_alg_icmp.c Fri Mar 23 08:34:57 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_alg_icmp.c,v 1.29 2018/03/22 12:16:11 maxv Exp $ */
+/* $NetBSD: npf_alg_icmp.c,v 1.30 2018/03/23 08:34:57 maxv Exp $ */
/*-
* Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.29 2018/03/22 12:16:11 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.30 2018/03/23 08:34:57 maxv Exp $");
#include <sys/param.h>
#include <sys/module.h>
@@ -213,10 +213,12 @@ npfa_icmp_inspect(npf_cache_t *npc, npf_
* Inspect the ICMP packet. The relevant data might be in the
* embedded packet. Fill the "enpc" cache, if so.
*/
- if (npf_iscached(npc, NPC_IP4)) {
+ if (npf_iscached(npc, NPC_IP4) &&
+ npc->npc_proto == IPPROTO_ICMP) {
const struct icmp *ic = npc->npc_l4.icmp;
ret = npfa_icmp4_inspect(ic->icmp_type, enpc, &hasqid);
- } else if (npf_iscached(npc, NPC_IP6)) {
+ } else if (npf_iscached(npc, NPC_IP6) &&
+ npc->npc_proto == IPPROTO_ICMPV6) {
const struct icmp6_hdr *ic6 = npc->npc_l4.icmp6;
ret = npfa_icmp6_inspect(ic6->icmp6_type, enpc, &hasqid);
} else {
