Re: ipsec panic early

Fri, 12 May 2017 08:28:37 -0700 

On Fri, May 12, 2017 at 01:53:12PM +0200, Alexander Bluhm wrote:
> In bridge_ipsec() tdb comes from
> gettdb() called with proto.  There we goto skiplookup if proto !=
> IPPROTO_ESP && proto != IPPROTO_AH && proto != IPPROTO_IPCOMP.

While looking at this, I saw the same code in the IPv4 and IPv6
case.  And we could put the panic there, too.

ok?

bluhm

Index: net/if_bridge.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.294
diff -u -p -r1.294 if_bridge.c
--- net/if_bridge.c     5 Feb 2017 16:04:14 -0000       1.294
+++ net/if_bridge.c     12 May 2017 14:51:35 -0000
@@ -1425,17 +1425,6 @@ bridge_ipsec(struct bridge_softc *sc, st
                            sizeof(struct in_addr),
                            (caddr_t)&dst.sin.sin_addr);
 
-                       if (ip->ip_p == IPPROTO_ESP)
-                               m_copydata(m, hlen, sizeof(u_int32_t),
-                                   (caddr_t)&spi);
-                       else if (ip->ip_p == IPPROTO_AH)
-                               m_copydata(m, hlen + sizeof(u_int32_t),
-                                   sizeof(u_int32_t), (caddr_t)&spi);
-                       else if (ip->ip_p == IPPROTO_IPCOMP) {
-                               m_copydata(m, hlen + sizeof(u_int16_t),
-                                   sizeof(u_int16_t), (caddr_t)&cpi);
-                               spi = ntohl(htons(cpi));
-                       }
                        break;
 #ifdef INET6
                case AF_INET6:
@@ -1459,25 +1448,29 @@ bridge_ipsec(struct bridge_softc *sc, st
                            sizeof(struct in6_addr),
                            (caddr_t)&dst.sin6.sin6_addr);
 
-                       if (proto == IPPROTO_ESP)
-                               m_copydata(m, hlen, sizeof(u_int32_t),
-                                   (caddr_t)&spi);
-                       else if (proto == IPPROTO_AH)
-                               m_copydata(m, hlen + sizeof(u_int32_t),
-                                   sizeof(u_int32_t), (caddr_t)&spi);
-                       else if (proto == IPPROTO_IPCOMP) {
-                               m_copydata(m, hlen + sizeof(u_int16_t),
-                                   sizeof(u_int16_t), (caddr_t)&cpi);
-                               spi = ntohl(htons(cpi));
-                       }
                        break;
 #endif /* INET6 */
                default:
                        return (0);
                }
 
-               if (proto == 0)
-                       goto skiplookup;
+               switch (proto) {
+               case IPPROTO_ESP:
+                       m_copydata(m, hlen, sizeof(u_int32_t), (caddr_t)&spi);
+                       break;
+               case IPPROTO_AH:
+                       m_copydata(m, hlen + sizeof(u_int32_t),
+                           sizeof(u_int32_t), (caddr_t)&spi);
+                       break;
+               case IPPROTO_IPCOMP:
+                       m_copydata(m, hlen + sizeof(u_int16_t),
+                           sizeof(u_int16_t), (caddr_t)&cpi);
+                       spi = ntohl(htons(cpi));
+                       break;
+               default:
+                       panic("%s: unknown/unsupported security protocol %d",
+                           __func__, proto);
+               }
 
                splsoftassert(IPL_SOFTNET);

Reply via email to