[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    Re: [security-discuss] [networking-discuss] Reminder: Detangle code
From:       Dan McDonald <danmcd () sun ! com>
Date:       2007-08-15 17:28:51
Message-ID: 20070815172851.GG22634 () kebe ! East ! Sun ! COM
[Download RAW message or body]

On Wed, Aug 15, 2007 at 11:29:50AM -0400, Sebastien Roy wrote:
> Hi Dan,
> 
> Dan McDonald wrote:
> > 	http://cr.opensolaris.org/~danmcd/detangle/
> 
> Two minor comments:
> 
> ip.c:
> 
> 12771: if we hit this condition (IP and UDP headers in separate mblks), 
> it looks like we'll never check for ESP-in-UDP because we'll never call 
> ip_udp_check().  We'll be kicked over to the "slow path" and directly to 
> ip_fanout_udp() without passing go.

ip_fanout_udp() calls ip_fanout_udp_conn(), where we ALSO have a
zero_spi_check().  (In fact, it's this function's path that had an IRE
reference leak until VERY recently.)

You bring up, however, a good point that I need to possibly pullup further in
zero_spi_check().

> 17453,17455: did you mean ESP-in-UDP?

I sure did.  Thanks!

Both webrevs are now being updated.  They should be ready by the time most
people receive this e-mail.

Dan
_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]