rtems/rtems-libbsd
1
0
Fork 0
mirror of https://git.rtems.org/rtems-libbsd/ synced 2025-10-14 08:44:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update to FreeBSD head 2017-06-01

Browse Source 
Git mirror commit dfb26efac4ce9101dda240e94d9ab53f80a9e131.

Update #3472.
This commit is contained in:
Sebastian Huber
2018-08-07 12:12:37 +02:00
parent a25e6a9d18
commit de261e0404
257 changed files with 3909 additions and 2604 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
freebsd/sys/netipsec/ipsec.h
View File

@@ -299,7 +299,13 @@ VNET_DECLARE(int, natt_cksum_policy);
#define ipseclog(x) do { if (V_ipsec_debug) log x; } while (0)
/* for openbsd compatibility */
#ifdef IPSEC_DEBUG
#define IPSEC_DEBUG_DECLARE(x) x
#define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0)
#else
#define IPSEC_DEBUG_DECLARE(x)
#define DPRINTF(x)
#endif
struct inpcb;
struct m_tag;

8
freebsd/sys/netipsec/ipsec_input.c
View File

@@ -119,7 +119,7 @@ __FBSDID("$FreeBSD$");
static int
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
union sockaddr_union dst_address;
struct secasvar *sav;
uint32_t spi;
@@ -225,8 +225,6 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
* everything else.
*/
error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
if (error != 0)
key_freesav(&sav);
return (error);
}
@@ -281,7 +279,7 @@ int
ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
int protoff)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
struct ipsec_ctx_data ctx;
struct xform_history *xh;
struct secasindex *saidx;
@@ -492,7 +490,7 @@ int
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
int protoff)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
struct ipsec_ctx_data ctx;
struct xform_history *xh;
struct secasindex *saidx;

4
freebsd/sys/netipsec/ipsec_mbuf.c
View File

@@ -170,8 +170,8 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
caddr_t
m_pad(struct mbuf *m, int n)
{
register struct mbuf *m0, *m1;
register int len, pad;
struct mbuf *m0, *m1;
int len, pad;
caddr_t retval;
if (n <= 0) { /* No stupid arguments. */

28
freebsd/sys/netipsec/ipsec_output.c
View File

@@ -185,7 +185,6 @@ next:
static int
ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx)
{
char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
struct ipsec_ctx_data ctx;
union sockaddr_union *dst;
struct secasvar *sav;
@@ -232,12 +231,9 @@ ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx)
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
error = ipsec_encap(&m, &sav->sah->saidx);
if (error != 0) {
DPRINTF(("%s: encapsulation for SA %s->%s "
"SPI 0x%08x failed with error %d\n", __func__,
ipsec_address(&sav->sah->saidx.src, sbuf,
sizeof(sbuf)),
ipsec_address(&sav->sah->saidx.dst, dbuf,
sizeof(dbuf)), ntohl(sav->spi), error));
DPRINTF(("%s: encapsulation for SPI 0x%08x failed "
"with error %d\n", __func__, ntohl(sav->spi),
error));
/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
goto bad;
}
@@ -275,10 +271,6 @@ ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx)
goto bad;
}
error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off);
if (error != 0) {
key_freesav(&sav);
key_freesp(&sp);
}
return (error);
bad:
IPSECSTAT_INC(ips_out_inval);
@@ -503,7 +495,6 @@ next:
static int
ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx)
{
char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
struct ipsec_ctx_data ctx;
union sockaddr_union *dst;
struct secasvar *sav;
@@ -545,12 +536,9 @@ ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx)
}
error = ipsec_encap(&m, &sav->sah->saidx);
if (error != 0) {
DPRINTF(("%s: encapsulation for SA %s->%s "
"SPI 0x%08x failed with error %d\n", __func__,
ipsec_address(&sav->sah->saidx.src, sbuf,
sizeof(sbuf)),
ipsec_address(&sav->sah->saidx.dst, dbuf,
sizeof(dbuf)), ntohl(sav->spi), error));
DPRINTF(("%s: encapsulation for SPI 0x%08x failed "
"with error %d\n", __func__, ntohl(sav->spi),
error));
/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
goto bad;
}
@@ -583,10 +571,6 @@ ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx)
goto bad;
}
error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off);
if (error != 0) {
key_freesav(&sav);
key_freesp(&sp);
}
return (error);
bad:
IPSEC6STAT_INC(ips_out_inval);

8
freebsd/sys/netipsec/ipsec_pcb.c
View File

@@ -174,10 +174,10 @@ ipsec_delete_pcbpolicy(struct inpcb *inp)
if (inp->inp_sp == NULL)
return (0);
if (inp->inp_sp->flags & INP_INBOUND_POLICY)
if (inp->inp_sp->sp_in != NULL)
key_freesp(&inp->inp_sp->sp_in);
if (inp->inp_sp->flags & INP_OUTBOUND_POLICY)
if (inp->inp_sp->sp_out != NULL)
key_freesp(&inp->inp_sp->sp_out);
free(inp->inp_sp, M_IPSEC_INPCB);
@@ -252,6 +252,8 @@ ipsec_copy_pcbpolicy(struct inpcb *old, struct inpcb *new)
if (sp == NULL)
return (ENOBUFS);
ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_INBOUND);
if (new->inp_sp->sp_in != NULL)
key_freesp(&new->inp_sp->sp_in);
new->inp_sp->sp_in = sp;
new->inp_sp->flags |= INP_INBOUND_POLICY;
}
@@ -260,6 +262,8 @@ ipsec_copy_pcbpolicy(struct inpcb *old, struct inpcb *new)
if (sp == NULL)
return (ENOBUFS);
ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_OUTBOUND);
if (new->inp_sp->sp_out != NULL)
key_freesp(&new->inp_sp->sp_out);
new->inp_sp->sp_out = sp;
new->inp_sp->flags |= INP_OUTBOUND_POLICY;
}

6
freebsd/sys/netipsec/key.c
View File

@@ -865,7 +865,8 @@ key_allocsa_tcpmd5(struct secasindex *saidx)
kdebug_secash(sah, " "));
if (sah->saidx.proto != IPPROTO_TCP)
continue;
if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
!key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
break;
}
if (sah != NULL) {
@@ -4964,7 +4965,8 @@ key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi)
LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
if (sah->saidx.proto != IPPROTO_TCP)
continue;
if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
!key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
break;
}
if (sah != NULL) {

109
freebsd/sys/netipsec/key_debug.c
View File

@@ -65,6 +65,7 @@
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#endif /* !_KERNEL */
static void kdebug_sadb_prop(struct sadb_ext *);
@@ -75,6 +76,8 @@ static void kdebug_sadb_sa(struct sadb_ext *);
static void kdebug_sadb_address(struct sadb_ext *);
static void kdebug_sadb_key(struct sadb_ext *);
static void kdebug_sadb_x_sa2(struct sadb_ext *);
static void kdebug_sadb_x_sa_replay(struct sadb_ext *);
static void kdebug_sadb_x_natt(struct sadb_ext *);
#ifdef _KERNEL
static void kdebug_secreplay(struct secreplay *);
@@ -133,6 +136,10 @@ kdebug_sadb(struct sadb_msg *base)
case SADB_EXT_ADDRESS_SRC:
case SADB_EXT_ADDRESS_DST:
case SADB_EXT_ADDRESS_PROXY:
case SADB_X_EXT_NAT_T_OAI:
case SADB_X_EXT_NAT_T_OAR:
case SADB_X_EXT_NEW_ADDRESS_SRC:
case SADB_X_EXT_NEW_ADDRESS_DST:
kdebug_sadb_address(ext);
break;
case SADB_EXT_KEY_AUTH:
@@ -161,6 +168,14 @@ kdebug_sadb(struct sadb_msg *base)
case SADB_X_EXT_SA2:
kdebug_sadb_x_sa2(ext);
break;
case SADB_X_EXT_SA_REPLAY:
kdebug_sadb_x_sa_replay(ext);
break;
case SADB_X_EXT_NAT_T_TYPE:
case SADB_X_EXT_NAT_T_SPORT:
case SADB_X_EXT_NAT_T_DPORT:
kdebug_sadb_x_natt(ext);
break;
default:
printf("%s: invalid ext_type %u\n", __func__,
ext->sadb_ext_type);
@@ -344,8 +359,6 @@ kdebug_sadb_address(struct sadb_ext *ext)
((u_char *)&addr->sadb_address_reserved)[1]);
kdebug_sockaddr((struct sockaddr *)((caddr_t)ext + sizeof(*addr)));
return;
}
static void
@@ -394,6 +407,41 @@ kdebug_sadb_x_sa2(struct sadb_ext *ext)
return;
}
static void
kdebug_sadb_x_sa_replay(struct sadb_ext *ext)
{
struct sadb_x_sa_replay *replay;
/* sanity check */
if (ext == NULL)
panic("%s: NULL pointer was passed.\n", __func__);
replay = (struct sadb_x_sa_replay *)ext;
printf("sadb_x_sa_replay{ replay=%u }\n",
replay->sadb_x_sa_replay_replay);
}
static void
kdebug_sadb_x_natt(struct sadb_ext *ext)
{
struct sadb_x_nat_t_type *type;
struct sadb_x_nat_t_port *port;
/* sanity check */
if (ext == NULL)
panic("%s: NULL pointer was passed.\n", __func__);
if (ext->sadb_ext_type == SADB_X_EXT_NAT_T_TYPE) {
type = (struct sadb_x_nat_t_type *)ext;
printf("sadb_x_nat_t_type{ type=%u }\n",
type->sadb_x_nat_t_type_type);
} else {
port = (struct sadb_x_nat_t_port *)ext;
printf("sadb_x_nat_t_port{ port=%u }\n",
ntohs(port->sadb_x_nat_t_port_port));
}
}
void
kdebug_sadb_x_policy(struct sadb_ext *ext)
{
@@ -404,9 +452,11 @@ kdebug_sadb_x_policy(struct sadb_ext *ext)
if (ext == NULL)
panic("%s: NULL pointer was passed.\n", __func__);
printf("sadb_x_policy{ type=%u dir=%u id=%x }\n",
printf("sadb_x_policy{ type=%u dir=%u id=%x scope=%u %s=%u }\n",
xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir,
xpl->sadb_x_policy_id);
xpl->sadb_x_policy_id, xpl->sadb_x_policy_scope,
xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET ?
"ifindex": "priority", xpl->sadb_x_policy_priority);
if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) {
int tlen;
@@ -852,39 +902,42 @@ ipsec_sa2str(struct secasvar *sav, char *buf, size_t size)
void
kdebug_sockaddr(struct sockaddr *addr)
{
struct sockaddr_in *sin4;
#ifdef INET6
struct sockaddr_in6 *sin6;
#endif
char buf[IPSEC_ADDRSTRLEN];
/* sanity check */
if (addr == NULL)
panic("%s: NULL pointer was passed.\n", __func__);
/* NOTE: We deal with port number as host byte order. */
printf("sockaddr{ len=%u family=%u", addr->sa_len, addr->sa_family);
switch (addr->sa_family) {
case AF_INET:
sin4 = (struct sockaddr_in *)addr;
printf(" port=%u\n", ntohs(sin4->sin_port));
ipsec_hexdump((caddr_t)&sin4->sin_addr, sizeof(sin4->sin_addr));
#ifdef INET
case AF_INET: {
struct sockaddr_in *sin;
sin = (struct sockaddr_in *)addr;
inet_ntop(AF_INET, &sin->sin_addr, buf, sizeof(buf));
break;
#ifdef INET6
case AF_INET6:
sin6 = (struct sockaddr_in6 *)addr;
printf(" port=%u\n", ntohs(sin6->sin6_port));
printf(" flowinfo=0x%08x, scope_id=0x%08x\n",
sin6->sin6_flowinfo, sin6->sin6_scope_id);
ipsec_hexdump((caddr_t)&sin6->sin6_addr,
sizeof(sin6->sin6_addr));
break;
#endif
}
#endif
#ifdef INET6
case AF_INET6: {
struct sockaddr_in6 *sin6;
printf(" }\n");
return;
sin6 = (struct sockaddr_in6 *)addr;
if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
snprintf(buf, sizeof(buf), "%s%%%u",
inet_ntop(AF_INET6, &sin6->sin6_addr, buf,
sizeof(buf)), sin6->sin6_scope_id);
} else
inet_ntop(AF_INET6, &sin6->sin6_addr, buf,
sizeof(buf));
break;
}
#endif
default:
sprintf(buf, "unknown");
}
printf("sockaddr{ len=%u family=%u addr=%s }\n", addr->sa_len,
addr->sa_family, buf);
}
void

4
freebsd/sys/netipsec/key_debug.h
View File

@@ -53,10 +53,14 @@
#define KEYDEBUG_IPSEC_DATA (KEYDEBUG_IPSEC | KEYDEBUG_DATA)
#define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP)
#ifdef IPSEC_DEBUG
#define KEYDBG(lev, arg) \
if ((V_key_debug_level & (KEYDEBUG_ ## lev)) == (KEYDEBUG_ ## lev)) { \
arg; \
}
#else
#define KEYDBG(lev, arg)
#endif /* !IPSEC_DEBUG */
VNET_DECLARE(uint32_t, key_debug_level);
#define V_key_debug_level VNET(key_debug_level)

33
freebsd/sys/netipsec/xform_ah.c
View File

@@ -546,7 +546,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
static int
ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
char buf[128];
IPSEC_DEBUG_DECLARE(char buf[128]);
const struct auth_hash *ahx;
struct cryptodesc *crda;
struct cryptop *crp;
@@ -568,8 +568,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (ah == NULL) {
DPRINTF(("ah_input: cannot pullup header\n"));
AHSTAT_INC(ahs_hdrops); /*XXX*/
m_freem(m);
return ENOBUFS;
error = ENOBUFS;
goto bad;
}
/* Check replay window, if applicable. */
@@ -580,8 +580,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
AHSTAT_INC(ahs_replay);
DPRINTF(("%s: packet replay failure: %s\n", __func__,
ipsec_sa2str(sav, buf, sizeof(buf))));
m_freem(m);
return (EACCES);
error = EACCES;
goto bad;
}
cryptoid = sav->tdb_cryptoid;
SECASVAR_UNLOCK(sav);
@@ -597,8 +597,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_badauthl);
m_freem(m);
return EACCES;
error = EACCES;
goto bad;
}
AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl);
@@ -608,8 +608,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: failed to acquire crypto descriptor\n",
__func__));
AHSTAT_INC(ahs_crypto);
m_freem(m);
return ENOBUFS;
error = ENOBUFS;
goto bad;
}
crda = crp->crp_desc;
@@ -631,8 +631,8 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: failed to allocate xform_data\n", __func__));
AHSTAT_INC(ahs_crypto);
crypto_freereq(crp);
m_freem(m);
return ENOBUFS;
error = ENOBUFS;
goto bad;
}
/*
@@ -652,6 +652,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
AHSTAT_INC(ahs_hdrops);
free(xd, M_XDATA);
crypto_freereq(crp);
key_freesav(&sav);
return (error);
}
@@ -670,6 +671,10 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
xd->skip = skip;
xd->cryptoid = cryptoid;
return (crypto_dispatch(crp));
bad:
m_freem(m);
key_freesav(&sav);
return (error);
}
/*
@@ -678,7 +683,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
ah_input_cb(struct cryptop *crp)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
unsigned char calc[AH_ALEN_MAX];
const struct auth_hash *ahx;
struct mbuf *m;
@@ -828,7 +833,7 @@ static int
ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
u_int idx, int skip, int protoff)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
const struct auth_hash *ahx;
struct cryptodesc *crda;
struct xform_data *xd;
@@ -1046,6 +1051,8 @@ ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
bad:
if (m)
m_freem(m);
key_freesav(&sav);
key_freesp(&sp);
return (error);
}

33
freebsd/sys/netipsec/xform_esp.c
View File

@@ -265,7 +265,7 @@ esp_zeroize(struct secasvar *sav)
static int
esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
char buf[128];
IPSEC_DEBUG_DECLARE(char buf[128]);
const struct auth_hash *esph;
const struct enc_xform *espx;
struct xform_data *xd;
@@ -274,18 +274,18 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
struct newesp *esp;
uint8_t *ivp;
uint64_t cryptoid;
int plen, alen, hlen;
int alen, error, hlen, plen;
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
error = EINVAL;
/* Valid IP Packet length ? */
if ( (skip&3) || (m->m_pkthdr.len&3) ){
DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
__func__, skip, m->m_pkthdr.len));
ESPSTAT_INC(esps_badilen);
m_freem(m);
return EINVAL;
goto bad;
}
/* XXX don't pullup, just copy header */
IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
@@ -316,8 +316,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long)ntohl(sav->spi)));
ESPSTAT_INC(esps_badilen);
m_freem(m);
return EINVAL;
goto bad;
}
/*
@@ -330,8 +329,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_sa2str(sav, buf, sizeof(buf))));
ESPSTAT_INC(esps_replay);
m_freem(m);
return (EACCES);
error = EACCES;
goto bad;
}
}
cryptoid = sav->tdb_cryptoid;
@@ -346,8 +345,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
ESPSTAT_INC(esps_crypto);
m_freem(m);
return ENOBUFS;
error = ENOBUFS;
goto bad;
}
/* Get IPsec-specific opaque pointer */
@@ -356,8 +355,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: failed to allocate xform_data\n", __func__));
ESPSTAT_INC(esps_crypto);
crypto_freereq(crp);
m_freem(m);
return ENOBUFS;
error = ENOBUFS;
goto bad;
}
if (esph != NULL) {
@@ -427,6 +426,10 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
crde->crd_alg = espx->type;
return (crypto_dispatch(crp));
bad:
m_freem(m);
key_freesav(&sav);
return (error);
}
/*
@@ -435,7 +438,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
esp_input_cb(struct cryptop *crp)
{
char buf[128];
IPSEC_DEBUG_DECLARE(char buf[128]);
u_int8_t lastthree[3], aalg[AH_HMAC_MAXHASHLEN];
const struct auth_hash *esph;
const struct enc_xform *espx;
@@ -621,7 +624,7 @@ static int
esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
u_int idx, int skip, int protoff)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
struct cryptodesc *crde = NULL, *crda = NULL;
struct cryptop *crp;
const struct auth_hash *esph;
@@ -860,6 +863,8 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
bad:
if (m)
m_freem(m);
key_freesav(&sav);
key_freesp(&sp);
return (error);
}
/*

28
freebsd/sys/netipsec/xform_ipcomp.c
View File

@@ -196,34 +196,35 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
struct cryptop *crp;
struct ipcomp *ipcomp;
caddr_t addr;
int hlen = IPCOMP_HLENGTH;
int error, hlen = IPCOMP_HLENGTH;
/*
* Check that the next header of the IPComp is not IPComp again, before
* doing any real work. Given it is not possible to do double
* compression it means someone is playing tricks on us.
*/
error = ENOBUFS;
if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/
DPRINTF(("%s: m_pullup failed\n", __func__));
return (ENOBUFS);
key_freesav(&sav);
return (error);
}
addr = (caddr_t) mtod(m, struct ip *) + skip;
ipcomp = (struct ipcomp *)addr;
if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
m_freem(m);
IPCOMPSTAT_INC(ipcomps_pdrops); /* XXX have our own stats? */
DPRINTF(("%s: recursive compression detected\n", __func__));
return (EINVAL);
error = EINVAL;
goto bad;
}
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {
m_freem(m);
DPRINTF(("%s: no crypto descriptors\n", __func__));
IPCOMPSTAT_INC(ipcomps_crypto);
return ENOBUFS;
goto bad;
}
/* Get IPsec-specific opaque pointer */
xd = malloc(sizeof(*xd), M_XDATA, M_NOWAIT | M_ZERO);
@@ -231,8 +232,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: cannot allocate xform_data\n", __func__));
IPCOMPSTAT_INC(ipcomps_crypto);
crypto_freereq(crp);
m_freem(m);
return ENOBUFS;
goto bad;
}
crdc = crp->crp_desc;
@@ -261,6 +261,10 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
SECASVAR_UNLOCK(sav);
return crypto_dispatch(crp);
bad:
m_freem(m);
key_freesav(&sav);
return (error);
}
/*
@@ -269,7 +273,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
ipcomp_input_cb(struct cryptop *crp)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
struct cryptodesc *crd;
struct xform_data *xd;
struct mbuf *m;
@@ -385,7 +389,7 @@ static int
ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
u_int idx, int skip, int protoff)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
const struct comp_algo *ipcompx;
struct cryptodesc *crdc;
struct cryptop *crp;
@@ -508,6 +512,8 @@ ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
bad:
if (m)
m_freem(m);
key_freesav(&sav);
key_freesp(&sp);
return (error);
}
@@ -517,7 +523,7 @@ bad:
static int
ipcomp_output_cb(struct cryptop *crp)
{
char buf[IPSEC_ADDRSTRLEN];
IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
struct xform_data *xd;
struct secpolicy *sp;
struct secasvar *sav;