CVS commit: src/sys/netipsec

Tue, 03 Oct 2017 01:34:55 -0700 

Module Name:    src
Committed By:   ozaki-r
Date:           Tue Oct  3 08:34:28 UTC 2017

Modified Files:
        src/sys/netipsec: ipsec_output.c key.c key.h

Log Message:
Fix SP is broken on transport mode

isr->saidx was modified accidentally in ipsec_nextisr.

Reported by christos@
Helped investigations by christos@ and knakahara@


To generate a diff of this commit:
cvs rdiff -u -r1.62 -r1.63 src/sys/netipsec/ipsec_output.c
cvs rdiff -u -r1.232 -r1.233 src/sys/netipsec/key.c
cvs rdiff -u -r1.30 -r1.31 src/sys/netipsec/key.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.62 src/sys/netipsec/ipsec_output.c:1.63
--- src/sys/netipsec/ipsec_output.c:1.62	Tue Oct  3 08:25:21 2017
+++ src/sys/netipsec/ipsec_output.c	Tue Oct  3 08:34:28 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.62 2017/10/03 08:25:21 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.63 2017/10/03 08:34:28 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.62 2017/10/03 08:25:21 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.63 2017/10/03 08:34:28 ozaki-r Exp $");
 
 /*
  * IPsec output processing.
@@ -386,7 +386,7 @@ do {									\
 } while (/*CONSTCOND*/0)
 
 	struct secasvar *sav = NULL;
-	struct secasindex *saidx;
+	struct secasindex saidx;
 
 	IPSEC_SPLASSERT_SOFTNET("ipsec_nextisr");
 	KASSERTMSG(af == AF_INET || af == AF_INET6,
@@ -397,16 +397,16 @@ again:
 	 * we only fillin unspecified SA peers for transport
 	 * mode; for tunnel mode they must already be filled in.
 	 */
-	saidx = &isr->saidx;
+	saidx = isr->saidx;
 	if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
 		/* Fillin unspecified SA peers only for transport mode */
-		ipsec_fill_saidx_bymbuf(saidx, m, af);
+		ipsec_fill_saidx_bymbuf(&saidx, m, af);
 	}
 
 	/*
 	 * Lookup SA and validate it.
 	 */
-	*error = key_checkrequest(isr, &sav);
+	*error = key_checkrequest(isr, &saidx, &sav);
 	if (*error != 0) {
 		/*
 		 * IPsec processing is required, but no SA found.

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.232 src/sys/netipsec/key.c:1.233
--- src/sys/netipsec/key.c:1.232	Tue Oct  3 08:25:21 2017
+++ src/sys/netipsec/key.c	Tue Oct  3 08:34:28 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.232 2017/10/03 08:25:21 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.233 2017/10/03 08:34:28 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.232 2017/10/03 08:25:21 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.233 2017/10/03 08:34:28 ozaki-r Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -995,11 +995,11 @@ done:
  *	ENOENT: policy may be valid, but SA with REQUIRE is on acquiring.
  */
 int
-key_checkrequest(struct ipsecrequest *isr, struct secasvar **ret)
+key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx,
+    struct secasvar **ret)
 {
 	u_int level;
 	int error;
-	const struct secasindex *saidx = &isr->saidx;
 	struct secasvar *sav;
 
 	KASSERT(isr != NULL);

Index: src/sys/netipsec/key.h
diff -u src/sys/netipsec/key.h:1.30 src/sys/netipsec/key.h:1.31
--- src/sys/netipsec/key.h:1.30	Tue Oct  3 08:25:21 2017
+++ src/sys/netipsec/key.h	Tue Oct  3 08:34:28 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.h,v 1.30 2017/10/03 08:25:21 ozaki-r Exp $	*/
+/*	$NetBSD: key.h,v 1.31 2017/10/03 08:34:28 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $	*/
 
@@ -97,7 +97,8 @@ struct secasvar *key_lookup_sa_bysaidx(c
 	key_lookup_sa(dst, proto, spi, sport, dport,  __func__, __LINE__)
 
 int key_checktunnelsanity (struct secasvar *, u_int, void *, void *);
-int key_checkrequest(struct ipsecrequest *, struct secasvar **);
+int key_checkrequest(struct ipsecrequest *, const struct secasindex *,
+    struct secasvar **);
 
 struct secpolicy *key_msg2sp (const struct sadb_x_policy *, size_t, int *);
 struct mbuf *key_sp2msg (const struct secpolicy *);

Reply via email to