diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2021-11-11 18:08:19 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2021-11-11 18:08:19 +0000 |
| commit | 63133a5098f29b03c7e694178b32509cbfa3766d (patch) | |
| tree | 45fcba39084702cc31b3f90ef9bd4313bb1975db /sys/netinet/ip_ah.c | |
| parent | dfec3874df398df20d2e0735832e7d277a3cc8fd (diff) | |
Do not call ip_deliver() recursively from IPsec. As there is no
crypto task anymore, it is possible to return the next protocol.
Then ip_deliver() will walk the header chain in its loop.
IPsec bridge(4) tested by jan@
OK mvs@ tobhe@ jan@
Diffstat (limited to 'sys/netinet/ip_ah.c')
| -rw-r--r-- | sys/netinet/ip_ah.c | 19 |
1 files changed, 2 insertions, 17 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 140065807c4..fc423f62982 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.165 2021/10/25 09:47:02 tobhe Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.166 2021/11/11 18:08:18 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -563,21 +563,18 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_wrap); - error = ENOBUFS; goto drop; case 2: DPRINTF("old packet received in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = ENOBUFS; goto drop; case 3: DPRINTF("duplicate packet received in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = ENOBUFS; goto drop; default: DPRINTF("bogus value from checkreplaywindow() " @@ -585,7 +582,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = ENOBUFS; goto drop; } } @@ -597,7 +593,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_badauthl); - error = EACCES; goto drop; } if (skip + ahx->authsize + rplen > m->m_pkthdr.len) { @@ -607,7 +602,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_badauthl); - error = EACCES; goto drop; } @@ -622,7 +616,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); - error = ENXIO; goto drop; } @@ -638,7 +631,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) if (crp == NULL) { DPRINTF("failed to acquire crypto descriptors"); ahstat_inc(ahs_crypto); - error = ENOBUFS; goto drop; } @@ -664,7 +656,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) if (ptr == NULL) { DPRINTF("failed to allocate buffer"); ahstat_inc(ahs_crypto); - error = ENOBUFS; goto drop; } @@ -720,7 +711,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_badauth); - error = -1; goto drop; } @@ -750,21 +740,18 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_wrap); - error = -1; goto drop; case 2: DPRINTF("old packet received in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = -1; goto drop; case 3: DPRINTF("duplicate packet received in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = -1; goto drop; default: DPRINTF("bogus value from checkreplaywindow() " @@ -772,7 +759,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = -1; goto drop; } } @@ -784,7 +770,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_hdrops); - error = -1; goto drop; } @@ -863,7 +848,7 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) free(ptr, M_XDATA, 0); m_freemp(mp); crypto_freereq(crp); - return error; + return IPPROTO_DONE; } /* |