aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaxim Konovalov <maxim@FreeBSD.org>2006-03-23 10:19:35 +0000
committerMaxim Konovalov <maxim@FreeBSD.org>2006-03-23 10:19:35 +0000
commitd8a1588b136706dda2f0772f7270e8773c282361 (patch)
tree1a69f26bb26a725d563f5de974dbaa1fe25ccfd1
parentc2ceacfdd966c8166213d94ca65a60c9a09296e1 (diff)
downloadsrc-d8a1588b136706dda2f0772f7270e8773c282361.tar.gz
src-d8a1588b136706dda2f0772f7270e8773c282361.zip
o Merge SA-06:11.ipsec, SA-06:12.opie.
Approved by: so (cperciva)
Notes
Notes: svn path=/releng/4.9/; revision=157042
-rw-r--r--UPDATING7
-rw-r--r--contrib/opie/opiepasswd.c9
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/netipsec/xform_esp.c17
4 files changed, 33 insertions, 2 deletions
diff --git a/UPDATING b/UPDATING
index 7fd759d2fe8d..675511faa740 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,13 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20060323: p24 FreeBSD-SA-06:11.ipsec, FreeBSD-SA-06:12.opie
+ Add missing code needed for the detection of IPSec packet
+ replays. [06:11]
+
+ Correctly identify the user running opiepasswd(1) when the login
+ name differs from the account name. [06:12]
+
20060302: p23 FreeBSD-SA-06:10.nfs
Correct a remote kernel panic when processing zero-length RPC
records via TCP.
diff --git a/contrib/opie/opiepasswd.c b/contrib/opie/opiepasswd.c
index 2e2358ada07a..cd4ff018c3a0 100644
--- a/contrib/opie/opiepasswd.c
+++ b/contrib/opie/opiepasswd.c
@@ -118,11 +118,18 @@ int main FUNCTION((argc, argv), int argc AND char *argv[])
struct opie opie;
int rval, n = 499, i, mode = MODE_DEFAULT, force = 0;
char seed[OPIE_SEED_MAX+1];
+ char *username;
+ uid_t ruid;
struct passwd *pp;
memset(seed, 0, sizeof(seed));
- if (!(pp = getpwnam(getlogin()))) {
+ ruid = getuid();
+ username = getlogin();
+ pp = getpwnam(username);
+ if (username == NULL || pp == NULL || pp->pw_uid != ruid)
+ pp = getpwuid(ruid);
+ if (pp == NULL) {
fprintf(stderr, "Who are you?");
return 1;
}
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 7fc16d869770..47f07e32f26d 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.9"
-BRANCH="RELEASE-p23"
+BRANCH="RELEASE-p24"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index f9c39c9e678c..7a1f7688c0f7 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -554,6 +554,23 @@ esp_input_cb(struct cryptop *crp)
*/
m->m_flags |= M_DECRYPTED;
+ /*
+ * Update replay sequence number, if appropriate.
+ */
+ if (sav->replay) {
+ u_int32_t seq;
+
+ m_copydata(m, skip + offsetof(struct newesp, esp_seq),
+ sizeof (seq), (caddr_t) &seq);
+ if (ipsec_updatereplay(ntohl(seq), sav)) {
+ DPRINTF(("%s: packet replay check for %s\n", __func__,
+ ipsec_logsastr(sav)));
+ espstat.esps_replay++;
+ error = ENOBUFS;
+ goto bad;
+ }
+ }
+
/* Determine the ESP header length */
if (sav->flags & SADB_X_EXT_OLD)
hlen = sizeof (struct esp) + sav->ivlen;