Hi, Instead of printing a debug message at the end, panic early if the IPsec security protocol is unknown.
ok? bluhm Index: netinet/ipsec_input.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ipsec_input.c,v retrieving revision 1.149 diff -u -p -r1.149 ipsec_input.c --- netinet/ipsec_input.c 11 May 2017 12:14:43 -0000 1.149 +++ netinet/ipsec_input.c 11 May 2017 22:14:41 -0000 @@ -172,15 +172,22 @@ ipsec_common_input(struct mbuf *m, int s } /* Retrieve the SPI from the relevant IPsec header */ - if (sproto == IPPROTO_ESP) + switch (sproto) { + case IPPROTO_ESP: m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); - else if (sproto == IPPROTO_AH) + break; + case IPPROTO_AH: m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), (caddr_t) &spi); - else if (sproto == IPPROTO_IPCOMP) { + break; + case IPPROTO_IPCOMP: m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), (caddr_t) &cpi); spi = ntohl(htons(cpi)); + break; + default: + panic("%s: unknown/unsupported security protocol %d", + __func__, sproto); } /* @@ -526,7 +533,8 @@ ipsec_common_input_cb(struct mbuf *m, st m_tag_prepend(m, mtag); } - if (sproto == IPPROTO_ESP) { + switch (sproto) { + case IPPROTO_ESP: /* Packet is confidential ? */ if (tdbp->tdb_encalgxform) m->m_flags |= M_CONF; @@ -534,10 +542,16 @@ ipsec_common_input_cb(struct mbuf *m, st /* Check if we had authenticated ESP. */ if (tdbp->tdb_authalgxform) m->m_flags |= M_AUTH; - } else if (sproto == IPPROTO_AH) { + break; + case IPPROTO_AH: m->m_flags |= M_AUTH; - } else if (sproto == IPPROTO_IPCOMP) { + break; + case IPPROTO_IPCOMP: m->m_flags |= M_COMP; + break; + default: + panic("%s: unknown/unsupported security protocol %d", + __func__, sproto); } #if NPF > 0 @@ -566,18 +580,6 @@ ipsec_common_input_cb(struct mbuf *m, st } } #endif - - switch (sproto) { - case IPPROTO_ESP: - case IPPROTO_AH: - case IPPROTO_IPCOMP: - break; - default: - DPRINTF(("ipsec_common_input_cb(): unknown/unsupported" - " security protocol %d\n", sproto)); - m_freem(m); - return; - } /* Call the appropriate IPsec transform callback. */ switch (af) {