From 21f83cc096fdf28c762eaa7618f3321e5c8504bd Mon Sep 17 00:00:00 2001 From: tobhe Date: Fri, 29 Sep 2023 18:40:08 +0000 Subject: [PATCH] Only forward validated pfkey messages to promiscuous listeners. Fixes a bunch of crashes with ipsecctl -m. ok bluhm@ --- sys/net/pfkeyv2.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index e750ae8bdbe..d4ca7c2358e 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.257 2023/08/07 03:35:06 dlg Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.258 2023/09/29 18:40:08 tobhe Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -1162,6 +1162,10 @@ pfkeyv2_dosend(struct socket *so, void *message, int len) rdomain = kp->kcb_rdomain; + /* Validate message format */ + if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0) + goto ret; + /* If we have any promiscuous listeners, send them a copy of the message */ if (promisc) { struct mbuf *packet; @@ -1208,10 +1212,6 @@ pfkeyv2_dosend(struct socket *so, void *message, int len) freeme_sz = 0; } - /* Validate message format */ - if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0) - goto ret; - /* use specified rdomain */ srdomain = (struct sadb_x_rdomain *) headers[SADB_X_EXT_RDOMAIN]; if (srdomain) { -- 2.20.1