The branch stable/13 has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=7b335e9f690e77841e3eb7dbf3403429b10fe222
commit 7b335e9f690e77841e3eb7dbf3403429b10fe222 Author: Konstantin Belousov <[email protected]> AuthorDate: 2023-07-20 12:08:24 +0000 Commit: Konstantin Belousov <[email protected]> CommitDate: 2023-07-28 01:14:01 +0000 ip output: ensure that mbufs are mapped if ipsec is enabled PR: 272616 (cherry picked from commit bc310a95c58a3c570ed7e5103371453881e36ba1) --- sys/netinet/ip_output.c | 6 ++++++ sys/netinet6/ip6_output.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 60aac79886c3..9b8e3b3eff7f 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -677,6 +677,12 @@ again: sendit: #if defined(IPSEC) || defined(IPSEC_SUPPORT) if (IPSEC_ENABLED(ipv4)) { + m = mb_unmapped_to_ext(m); + if (m == NULL) { + IPSTAT_INC(ips_odropped); + error = ENOBUFS; + goto bad; + } if ((error = IPSEC_OUTPUT(ipv4, m, inp)) != 0) { if (error == EINPROGRESS) error = 0; diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index f455c5ccbea2..88d7b2153991 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -461,6 +461,12 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, * XXX: need scope argument. */ if (IPSEC_ENABLED(ipv6)) { + m = mb_unmapped_to_ext(m); + if (m == NULL) { + IP6STAT_INC(ip6s_odropped); + error = ENOBUFS; + goto bad; + } if ((error = IPSEC_OUTPUT(ipv6, m, inp)) != 0) { if (error == EINPROGRESS) error = 0;
