CVSROOT: /cvs Module name: src Changes by: mar...@cvs.openbsd.org 2011/04/06 13:15:34
Modified files:
sys/sys : mbuf.h
sys/netinet : ipsec_input.c
Log message:
uncompress a packet with an IPcomp header only once; this prevents
endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy;
it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@;
feedback and ok matthew@, deraadt@, djm@, claudio@
