summaryrefslogtreecommitdiff
path: root/sys/netinet/ip_esp.c
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2002-06-18 19:25:49 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2002-06-18 19:25:49 +0000
commit285b7314960d3f2b27178faa4037ade8d6686c1f (patch)
tree1398540151ffe0d872d3fe18c79f39dcb5a5f6a5 /sys/netinet/ip_esp.c
parent7a21491a727b2e6691f33135f3b21c5466d51b29 (diff)
Same as with ip_ah.c (fix unreachable reference-after-free)
Diffstat (limited to 'sys/netinet/ip_esp.c')
-rw-r--r--sys/netinet/ip_esp.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index e760cefa7db..975cf803b6d 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp.c,v 1.70 2002/05/31 02:22:21 angelos Exp $ */
+/* $OpenBSD: ip_esp.c,v 1.71 2002/06/18 19:25:48 angelos Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -495,9 +495,9 @@ esp_input_cb(void *op)
s = spltdb();
tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto);
- FREE(tc, M_XDATA);
if (tdb == NULL)
{
+ FREE(tc, M_XDATA);
espstat.esps_notdb++;
DPRINTF(("esp_input_cb(): TDB is expired while in crypto"));
goto baddone;
@@ -509,6 +509,8 @@ esp_input_cb(void *op)
/* Check for crypto errors */
if (crp->crp_etype)
{
+ FREE(tc, M_XDATA);
+
/* Reset the session ID */
if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
@@ -528,6 +530,7 @@ esp_input_cb(void *op)
/* Shouldn't happen... */
if (m == NULL)
{
+ FREE(tc, M_XDATA);
espstat.esps_crypto++;
DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n"));
error = EINVAL;
@@ -552,6 +555,7 @@ esp_input_cb(void *op)
/* Verify authenticator */
if (bcmp(ptr, aalg, esph->authsize))
{
+ FREE(tc, M_XDATA);
DPRINTF(("esp_input_cb(): authentication failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
espstat.esps_badauth++;
error = EACCES;
@@ -563,6 +567,8 @@ esp_input_cb(void *op)
m_adj(m, -(esph->authsize));
}
+ FREE(tc, M_XDATA);
+
/* Replay window checking, if appropriate */
if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY)))
{
@@ -1017,7 +1023,6 @@ esp_output_cb(void *op)
s = spltdb();
tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto);
-
FREE(tc, M_XDATA);
if (tdb == NULL) {
espstat.esps_notdb++;