Hi,
Do not call ip_deliver() recursively. As we have no crypto task
anymore, we can return the next protocol. Then ip_deliver() will
walk the header chain in its loop.
ok?
bluhm
Index: netinet/ip_ah.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ah.c,v
retrieving revision 1.165
diff -u -p -r1.165 ip_ah.c
--- netinet/ip_ah.c 25 Oct 2021 09:47:02 -0000 1.165
+++ netinet/ip_ah.c 1 Nov 2021 09:21:14 -0000
@@ -563,21 +563,18 @@ ah_input(struct mbuf **mp, struct tdb *t
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_wrap);
- error = ENOBUFS;
goto drop;
case 2:
DPRINTF("old packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
- error = ENOBUFS;
goto drop;
case 3:
DPRINTF("duplicate packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
- error = ENOBUFS;
goto drop;
default:
DPRINTF("bogus value from checkreplaywindow() "
@@ -585,7 +582,6 @@ ah_input(struct mbuf **mp, struct tdb *t
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
- error = ENOBUFS;
goto drop;
}
}
@@ -597,7 +593,6 @@ ah_input(struct mbuf **mp, struct tdb *t
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_badauthl);
- error = EACCES;
goto drop;
}
if (skip + ahx->authsize + rplen > m->m_pkthdr.len) {
@@ -607,7 +602,6 @@ ah_input(struct mbuf **mp, struct tdb *t
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_badauthl);
- error = EACCES;
goto drop;
}
@@ -622,7 +616,6 @@ ah_input(struct mbuf **mp, struct tdb *t
tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
- error = ENXIO;
goto drop;
}
@@ -638,7 +631,6 @@ ah_input(struct mbuf **mp, struct tdb *t
if (crp == NULL) {
DPRINTF("failed to acquire crypto descriptors");
ahstat_inc(ahs_crypto);
- error = ENOBUFS;
goto drop;
}
@@ -664,7 +656,6 @@ ah_input(struct mbuf **mp, struct tdb *t
if (ptr == NULL) {
DPRINTF("failed to allocate buffer");
ahstat_inc(ahs_crypto);
- error = ENOBUFS;
goto drop;
}
@@ -720,7 +711,6 @@ ah_input(struct mbuf **mp, struct tdb *t
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_badauth);
- error = -1;
goto drop;
}
@@ -750,21 +740,18 @@ ah_input(struct mbuf **mp, struct tdb *t
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_wrap);
- error = -1;
goto drop;
case 2:
DPRINTF("old packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
- error = -1;
goto drop;
case 3:
DPRINTF("duplicate packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
- error = -1;
goto drop;
default:
DPRINTF("bogus value from checkreplaywindow() "
@@ -772,7 +759,6 @@ ah_input(struct mbuf **mp, struct tdb *t
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_replay);
- error = -1;
goto drop;
}
}
@@ -784,7 +770,6 @@ ah_input(struct mbuf **mp, struct tdb *t
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ahstat_inc(ahs_hdrops);
- error = -1;
goto drop;
}
@@ -863,7 +848,7 @@ ah_input(struct mbuf **mp, struct tdb *t
free(ptr, M_XDATA, 0);
m_freemp(mp);
crypto_freereq(crp);
- return error;
+ return IPPROTO_DONE;
}
/*
Index: netinet/ip_esp.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_esp.c,v
retrieving revision 1.184
diff -u -p -r1.184 ip_esp.c
--- netinet/ip_esp.c 24 Oct 2021 23:33:37 -0000 1.184
+++ netinet/ip_esp.c 1 Nov 2021 09:21:14 -0000
@@ -362,7 +362,6 @@ esp_input(struct mbuf **mp, struct tdb *
if (plen <= 0) {
DPRINTF("invalid payload length");
espstat_inc(esps_badilen);
- error = EINVAL;
goto drop;
}
@@ -378,7 +377,6 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_badilen);
- error = EINVAL;
goto drop;
}
}
@@ -397,21 +395,18 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_wrap);
- error = EACCES;
goto drop;
case 2:
DPRINTF("old packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
- error = EACCES;
goto drop;
case 3:
DPRINTF("duplicate packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
- error = EACCES;
goto drop;
default:
DPRINTF("bogus value from checkreplaywindow() "
@@ -419,7 +414,6 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
- error = EACCES;
goto drop;
}
}
@@ -434,7 +428,6 @@ esp_input(struct mbuf **mp, struct tdb *
(tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
- error = ENXIO;
goto drop;
}
@@ -450,7 +443,6 @@ esp_input(struct mbuf **mp, struct tdb *
if (crp == NULL) {
DPRINTF("failed to acquire crypto descriptors");
espstat_inc(esps_crypto);
- error = ENOBUFS;
goto drop;
}
@@ -537,7 +529,6 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_badauth);
- error = -1;
goto drop;
}
@@ -563,21 +554,18 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_wrap);
- error = -1;
goto drop;
case 2:
DPRINTF("old packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
- error = -1;
goto drop;
case 3:
DPRINTF("duplicate packet received in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
- error = -1;
goto drop;
default:
DPRINTF("bogus value from checkreplaywindow() "
@@ -585,7 +573,6 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_replay);
- error = -1;
goto drop;
}
}
@@ -597,7 +584,6 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_hdrops);
- error = -1;
goto drop;
}
@@ -668,7 +654,6 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_badilen);
- error = -1;
goto drop;
}
@@ -678,7 +663,6 @@ esp_input(struct mbuf **mp, struct tdb *
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
espstat_inc(esps_badenc);
- error = -1;
goto drop;
}
@@ -694,7 +678,7 @@ esp_input(struct mbuf **mp, struct tdb *
drop:
m_freemp(mp);
crypto_freereq(crp);
- return error;
+ return IPPROTO_DONE;
}
/*
Index: netinet/ip_ipcomp.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipcomp.c,v
retrieving revision 1.86
diff -u -p -r1.86 ip_ipcomp.c
--- netinet/ip_ipcomp.c 24 Oct 2021 18:15:58 -0000 1.86
+++ netinet/ip_ipcomp.c 1 Nov 2021 09:21:14 -0000
@@ -154,7 +154,6 @@ ipcomp_input(struct mbuf **mp, struct td
if (crp == NULL) {
DPRINTF("failed to acquire crypto descriptors");
ipcompstat_inc(ipcomps_crypto);
- error = ENOBUFS;
goto drop;
}
crdc = &crp->crp_desc[0];
@@ -202,7 +201,6 @@ ipcomp_input(struct mbuf **mp, struct td
(tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
- error = -1;
goto drop;
}
/* Notify on soft expiration */
@@ -218,7 +216,6 @@ ipcomp_input(struct mbuf **mp, struct td
if (m->m_len < skip + hlen &&
(m = *mp = m_pullup(m, skip + hlen)) == NULL) {
ipcompstat_inc(ipcomps_hdrops);
- error = -1;
goto drop;
}
@@ -229,7 +226,6 @@ ipcomp_input(struct mbuf **mp, struct td
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi));
ipcompstat_inc(ipcomps_hdrops);
- error = -1;
goto drop;
}
/* Keep the next protocol field */
@@ -295,7 +291,7 @@ ipcomp_input(struct mbuf **mp, struct td
drop:
m_freemp(mp);
crypto_freereq(crp);
- return error;
+ return IPPROTO_DONE;
}
/*
Index: netinet/ipsec_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ipsec_input.c,v
retrieving revision 1.190
diff -u -p -r1.190 ipsec_input.c
--- netinet/ipsec_input.c 1 Nov 2021 09:19:10 -0000 1.190
+++ netinet/ipsec_input.c 1 Nov 2021 09:21:14 -0000
@@ -194,7 +194,7 @@ ipsec_common_input(struct mbuf **mp, int
struct ifnet *encif;
u_int32_t spi;
u_int16_t cpi;
- int error;
+ int prot;
#ifdef ENCDEBUG
char buf[INET6_ADDRSTRLEN];
#endif
@@ -207,14 +207,12 @@ ipsec_common_input(struct mbuf **mp, int
if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) {
DPRINTF("repeated decompression");
ipcompstat_inc(ipcomps_pdrops);
- error = EINVAL;
goto drop;
}
if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) {
DPRINTF("packet too small");
IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
- error = EINVAL;
goto drop;
}
@@ -268,7 +266,6 @@ ipsec_common_input(struct mbuf **mp, int
default:
DPRINTF("unsupported protocol family %d", af);
IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf);
- error = EPFNOSUPPORT;
goto drop;
}
@@ -278,7 +275,6 @@ ipsec_common_input(struct mbuf **mp, int
DPRINTF("could not find SA for packet to %s, spi %08x",
ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi));
IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb);
- error = ENOENT;
goto drop;
}
@@ -287,7 +283,6 @@ ipsec_common_input(struct mbuf **mp, int
ipsp_address(&dst_address, buf, sizeof(buf)),
ntohl(spi), tdbp->tdb_sproto);
IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid);
- error = EINVAL;
goto drop;
}
@@ -296,7 +291,6 @@ ipsec_common_input(struct mbuf **mp, int
ipsp_address(&dst_address, buf, sizeof(buf)),
ntohl(spi), tdbp->tdb_sproto);
espstat_inc(esps_udpinval);
- error = EINVAL;
goto drop;
}
@@ -305,7 +299,6 @@ ipsec_common_input(struct mbuf **mp, int
ipsp_address(&dst_address, buf, sizeof(buf)),
ntohl(spi), tdbp->tdb_sproto);
espstat_inc(esps_udpneeded);
- error = EINVAL;
goto drop;
}
@@ -314,7 +307,6 @@ ipsec_common_input(struct mbuf **mp, int
ipsp_address(&dst_address, buf, sizeof(buf)),
ntohl(spi), tdbp->tdb_sproto);
IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform);
- error = ENXIO;
goto drop;
}
@@ -326,7 +318,6 @@ ipsec_common_input(struct mbuf **mp, int
ipsp_address(&dst_address, buf, sizeof(buf)),
ntohl(spi), tdbp->tdb_sproto);
IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops);
- error = EACCES;
goto drop;
}
@@ -352,19 +343,19 @@ ipsec_common_input(struct mbuf **mp, int
* Call appropriate transform and return -- callback takes care of
* everything else.
*/
- error = (*(tdbp->tdb_xform->xf_input))(mp, tdbp, skip, protoff);
- if (error) {
+ prot = (*(tdbp->tdb_xform->xf_input))(mp, tdbp, skip, protoff);
+ if (prot == IPPROTO_DONE) {
ipsecstat_inc(ipsec_idrops);
tdbp->tdb_idrops++;
}
- return error;
+ return prot;
drop:
m_freemp(mp);
ipsecstat_inc(ipsec_idrops);
if (tdbp != NULL)
tdbp->tdb_idrops++;
- return error;
+ return IPPROTO_DONE;
}
/*
@@ -630,16 +621,15 @@ ipsec_common_input_cb(struct mbuf **mp,
m = *mp;
if_put(ifp);
if (m == NULL)
- return 0;
+ return IPPROTO_DONE;
}
#endif
- /* Call the appropriate IPsec transform callback. */
- ip_deliver(mp, &skip, prot, af);
- return 0;
+ /* Return to the appropriate protocol handler in deliver loop. */
+ return prot;
baddone:
m_freemp(mp);
- return -1;
+ return IPPROTO_DONE;
#undef IPSEC_ISTAT
}
@@ -829,8 +819,7 @@ ah46_input(struct mbuf **mp, int *offp,
return IPPROTO_DONE;
}
- ipsec_common_input(mp, *offp, protoff, af, proto, 0);
- return IPPROTO_DONE;
+ return ipsec_common_input(mp, *offp, protoff, af, proto, 0);
}
void
@@ -863,8 +852,7 @@ esp46_input(struct mbuf **mp, int *offp,
return IPPROTO_DONE;
}
- ipsec_common_input(mp, *offp, protoff, af, proto, 0);
- return IPPROTO_DONE;
+ return ipsec_common_input(mp, *offp, protoff, af, proto, 0);
}
/* IPv4 IPCOMP wrapper */
@@ -888,8 +876,7 @@ ipcomp46_input(struct mbuf **mp, int *of
return IPPROTO_DONE;
}
- ipsec_common_input(mp, *offp, protoff, af, proto, 0);
- return IPPROTO_DONE;
+ return ipsec_common_input(mp, *offp, protoff, af, proto, 0);
}
void
Index: netinet/tcp_subr.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_subr.c,v
retrieving revision 1.181
diff -u -p -r1.181 tcp_subr.c
--- netinet/tcp_subr.c 23 Oct 2021 22:19:37 -0000 1.181
+++ netinet/tcp_subr.c 1 Nov 2021 09:26:48 -0000
@@ -964,7 +964,7 @@ tcp_signature_tdb_input(struct mbuf **mp
int protoff)
{
m_freemp(mp);
- return (EINVAL);
+ return (IPPROTO_DONE);
}
int
Index: netinet/udp_usrreq.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/udp_usrreq.c,v
retrieving revision 1.263
diff -u -p -r1.263 udp_usrreq.c
--- netinet/udp_usrreq.c 23 Oct 2021 22:19:37 -0000 1.263
+++ netinet/udp_usrreq.c 2 Nov 2021 09:49:29 -0000
@@ -305,9 +305,8 @@ udp_input(struct mbuf **mp, int *offp, i
espstat_inc(esps_udpencin);
protoff = af == AF_INET ? offsetof(struct ip, ip_p) :
offsetof(struct ip6_hdr, ip6_nxt);
- ipsec_common_input(mp, skip, protoff,
+ return ipsec_common_input(mp, skip, protoff,
af, IPPROTO_ESP, 1);
- return IPPROTO_DONE;
}
}
#endif
