From 207bd73af718bfad9260482cfb2b9af9679ca424 Mon Sep 17 00:00:00 2001 From: yasuoka Date: Fri, 26 Jul 2024 15:45:31 +0000 Subject: [PATCH] In pipex_l2tp_input(), check if ipsecflowinfo is not changed instead of updating it blindly. ok mvs --- sys/net/pipex.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sys/net/pipex.c b/sys/net/pipex.c index ba3038ed07b..c1bb5a86bcf 100644 --- a/sys/net/pipex.c +++ b/sys/net/pipex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex.c,v 1.154 2024/06/07 13:43:21 jsg Exp $ */ +/* $OpenBSD: pipex.c,v 1.155 2024/07/26 15:45:31 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -2031,7 +2031,13 @@ pipex_l2tp_input(struct mbuf *m0, int off0, struct pipex_session *session, mtx_enter(&session->pxs_mtx); l2tp_session = &session->proto.l2tp; - l2tp_session->ipsecflowinfo = ipsecflowinfo; + if (l2tp_session->ipsecflowinfo != ipsecflowinfo) { + pipex_session_log(session, LOG_DEBUG, + "received message is %s", + (ipsecflowinfo != 0)? "from invalid ipsec flow" : + "without ipsec"); + goto drop; + } m_copydata(m0, off0, sizeof(flags), &flags); -- 2.20.1