Hi,
There are 3 cases in IPSEC stack (both in input and output paths) where when we
have a bogus mbuf (NULL), and the packet needs to be quickly dropped, we may
have the TDB not initialized and we will try to dereference it to increase the
drops there. Found by Coverity IDs 1473312/1473313/1473317.
This was introduced when mpi@ added per-TDB counters, but I'm not familiar with
the code so please bear with me if this is not correct!
Any comments regarding the 3 changes? OK?
Index: ipsec_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ipsec_input.c,v
retrieving revision 1.166
diff -u -p -u -r1.166 ipsec_input.c
--- ipsec_input.c 28 Aug 2018 15:15:02 -0000 1.166
+++ ipsec_input.c 13 Sep 2018 10:47:55 -0000
@@ -162,7 +162,7 @@ ipsec_common_input(struct mbuf *m, int s
} while (0)
union sockaddr_union dst_address;
- struct tdb *tdbp;
+ struct tdb *tdbp = NULL;
struct ifnet *encif;
u_int32_t spi;
u_int16_t cpi;
@@ -352,7 +352,7 @@ ipsec_input_cb(struct cryptop *crp)
{
struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque;
struct mbuf *m = (struct mbuf *) crp->crp_buf;
- struct tdb *tdb;
+ struct tdb *tdb = NULL;
int clen, error;
if (m == NULL) {
Index: ipsec_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/ipsec_output.c,v
retrieving revision 1.74
diff -u -p -u -r1.74 ipsec_output.c
--- ipsec_output.c 28 Aug 2018 15:15:02 -0000 1.74
+++ ipsec_output.c 13 Sep 2018 10:47:55 -0000
@@ -388,7 +388,7 @@ ipsec_output_cb(struct cryptop *crp)
{
struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque;
struct mbuf *m = (struct mbuf *) crp->crp_buf;
- struct tdb *tdb;
+ struct tdb *tdb = NULL;
int error, ilen, olen;
if (m == NULL) {
