Accept and ignore SADB_X_EXT_REPLAY and SADB_X_EXT_COUNTER payloads for

incoming SADB_ADD and SADB_UPDATE message. Since we send them as part of
the SADB_GET reply we must also accept them on SADB_ADD/UPDATE as sasyncd
will forward payloads previously received in SADB_GET. Fixes a bug where
sasync can't restore SAs because pfkey returns EINVAL.

From Rafa\xc5\x82 Ramocki
ok bluhm@

diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c
index ad11651..048529f 100644 (file)
--- a/sys/net/pfkeyv2_parsemessage.c
+++ b/sys/net/pfkeyv2_parsemessage.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfkeyv2_parsemessage.c,v 1.62 2023/09/29 18:45:42 tobhe Exp $ */
+/*     $OpenBSD: pfkeyv2_parsemessage.c,v 1.63 2024/07/23 20:04:51 tobhe Exp $ */
 
 /*
  *     @(#)COPYRIGHT   1.1 (NRL) 17 January 1995
@@ -144,9 +144,9 @@ uint64_t sadb_exts_allowed_in[SADB_MAX+1] =
        /* GETSPI */
        BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE,
        /* UPDATE */
-       BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_ADDRESS_PROXY | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP | BITMAP_X_RDOMAIN | BITMAP_X_IFACE,
+       BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_ADDRESS_PROXY | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_TAG | BITMAP_X_TAP | BITMAP_X_RDOMAIN | BITMAP_X_COUNTER | BITMAP_X_REPLAY | BITMAP_X_IFACE,
        /* ADD */
-       BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP | BITMAP_X_RDOMAIN | BITMAP_X_IFACE,
+       BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_FLOW | BITMAP_X_UDPENCAP | BITMAP_X_LIFETIME_LASTUSE | BITMAP_X_TAG | BITMAP_X_TAP | BITMAP_X_RDOMAIN | BITMAP_X_COUNTER | BITMAP_X_REPLAY | BITMAP_X_IFACE,
        /* DELETE */
        BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_X_RDOMAIN,
        /* GET */
@@ -851,6 +851,19 @@ pfkeyv2_parsemessage(void *p, int len, void **headers)
                                return (EINVAL);
                        }
                        break;
+               case SADB_X_EXT_REPLAY:
+                       if (i != sizeof(struct sadb_x_replay)) {
+                               DPRINTF("bad REPLAY header length");
+                               return (EINVAL);
+                       }
+                       break;
+               case SADB_X_EXT_COUNTER:
+                       if (i != sizeof(struct sadb_x_counter)) {
+                               DPRINTF("bad COUNTER header length");
+                               return (EINVAL);
+                       }
+                       break;
+
 #if NPF > 0
                case SADB_X_EXT_TAG:
                        if (i < sizeof(struct sadb_x_tag)) {