ipsec panic early

Thu, 11 May 2017 15:26:14 -0700 

Hi,

Instead of printing a debug message at the end, panic early if the
IPsec security protocol is unknown.

ok?

bluhm

Index: netinet/ipsec_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ipsec_input.c,v
retrieving revision 1.149
diff -u -p -r1.149 ipsec_input.c
--- netinet/ipsec_input.c       11 May 2017 12:14:43 -0000      1.149
+++ netinet/ipsec_input.c       11 May 2017 22:14:41 -0000
@@ -172,15 +172,22 @@ ipsec_common_input(struct mbuf *m, int s
        }
 
        /* Retrieve the SPI from the relevant IPsec header */
-       if (sproto == IPPROTO_ESP)
+       switch (sproto) {
+       case IPPROTO_ESP:
                m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
-       else if (sproto == IPPROTO_AH)
+               break;
+       case IPPROTO_AH:
                m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
                    (caddr_t) &spi);
-       else if (sproto == IPPROTO_IPCOMP) {
+               break;
+       case IPPROTO_IPCOMP:
                m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
                    (caddr_t) &cpi);
                spi = ntohl(htons(cpi));
+               break;
+       default:
+               panic("%s: unknown/unsupported security protocol %d",
+                   __func__, sproto);
        }
 
        /*
@@ -526,7 +533,8 @@ ipsec_common_input_cb(struct mbuf *m, st
                m_tag_prepend(m, mtag);
        }
 
-       if (sproto == IPPROTO_ESP) {
+       switch (sproto) {
+       case IPPROTO_ESP:
                /* Packet is confidential ? */
                if (tdbp->tdb_encalgxform)
                        m->m_flags |= M_CONF;
@@ -534,10 +542,16 @@ ipsec_common_input_cb(struct mbuf *m, st
                /* Check if we had authenticated ESP. */
                if (tdbp->tdb_authalgxform)
                        m->m_flags |= M_AUTH;
-       } else if (sproto == IPPROTO_AH) {
+               break;
+       case IPPROTO_AH:
                m->m_flags |= M_AUTH;
-       } else if (sproto == IPPROTO_IPCOMP) {
+               break;
+       case IPPROTO_IPCOMP:
                m->m_flags |= M_COMP;
+               break;
+       default:
+               panic("%s: unknown/unsupported security protocol %d",
+                   __func__, sproto);
        }
 
 #if NPF > 0
@@ -566,18 +580,6 @@ ipsec_common_input_cb(struct mbuf *m, st
                }
        }
 #endif
-
-       switch (sproto) {
-       case IPPROTO_ESP:
-       case IPPROTO_AH:
-       case IPPROTO_IPCOMP:
-               break;
-       default:
-               DPRINTF(("ipsec_common_input_cb(): unknown/unsupported"
-                   " security protocol %d\n", sproto));
-               m_freem(m);
-               return;
-       }
 
        /* Call the appropriate IPsec transform callback. */
        switch (af) {

Reply via email to