xnu-3248.60.10.tar.gz

[apple/xnu.git] / bsd / netinet6 / esp_input.c

diff --git a/bsd/netinet6/esp_input.c b/bsd/netinet6/esp_input.c
index 1718e87bd936f7b1a2543d5ade6b6f996dcee664..e51ea9b0f972fc870b021907bbd32488a8a5d031 100644 (file)
--- a/bsd/netinet6/esp_input.c
+++ b/bsd/netinet6/esp_input.c
@@ -168,7 +168,7 @@ esp6_input_strip_udp_encap (struct mbuf *m, int ip6hlen)
        m->m_len -= stripsiz;
        m->m_pkthdr.len -= stripsiz;
        ip6 = mtod(m, __typeof__(ip6));
-       ip6->ip6_plen = ip6->ip6_plen - stripsiz;
+       ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz);
        ip6->ip6_nxt = IPPROTO_ESP;
        return ip6;
 }
@@ -1272,7 +1272,7 @@ noreplaycheck:
                        }
                }
 
-               if (proto_input(PF_INET6, m) != 0)
+               if (proto_input(ifamily == AF_INET ? PF_INET : PF_INET6, m) != 0)
                        goto bad;
                nxt = IPPROTO_DONE;
        } else {
@@ -1371,6 +1371,17 @@ noreplaycheck:
                        goto bad;
                }
 
+               /*
+                * Set the csum valid flag, if we authenticated the
+                * packet, the payload shouldn't be corrupt unless
+                * it was corrupted before being signed on the other
+                * side.
+                */
+               if (nxt == IPPROTO_TCP || nxt == IPPROTO_UDP) {
+                       m->m_pkthdr.csum_flags = CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
+                       m->m_pkthdr.csum_data = 0xFFFF;
+               }
+
                // Input via IPSec interface
                if (sav->sah->ipsec_if != NULL) {
                        if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {