There is an m_pullup() down in AH input. As it may free or change

the mbuf, the callers must be careful.  Although there is no bug,
use the common pattern to handle this.  Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@

1 files changed, 8 insertions, 8 deletions

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 55452ca25c5..5703fe98ba4 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.211 2021/10/23 15:42:35 tobhe Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.212 2021/10/23 22:19:37 bluhm Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -479,7 +479,7 @@ struct xformsw {
 	int	(*xf_init)(struct tdb *, const struct xformsw *,
 		    struct ipsecinit *);
 	int	(*xf_zeroize)(struct tdb *); /* termination */
-	int	(*xf_input)(struct mbuf *, struct tdb *, int, int);
+	int	(*xf_input)(struct mbuf **, struct tdb *, int, int);
 	int	(*xf_output)(struct mbuf *, struct tdb *, int, int);
 };
 
@@ -564,13 +564,13 @@ int	tdb_walk(u_int, int (*)(struct tdb *, void *, int), void *);
 int	ipe4_attach(void);
 int	ipe4_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
 int	ipe4_zeroize(struct tdb *);
-int	ipe4_input(struct mbuf *, struct tdb *, int, int);
+int	ipe4_input(struct mbuf **, struct tdb *, int, int);
 
 /* XF_AH */
 int	ah_attach(void);
 int	ah_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
 int	ah_zeroize(struct tdb *);
-int	ah_input(struct mbuf *, struct tdb *, int, int);
+int	ah_input(struct mbuf **, struct tdb *, int, int);
 int	ah_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
 int	ah_output(struct mbuf *, struct tdb *, int, int);
 int	ah_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
@@ -589,7 +589,7 @@ int	ah6_input(struct mbuf **, int *, int, int);
 int	esp_attach(void);
 int	esp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
 int	esp_zeroize(struct tdb *);
-int	esp_input(struct mbuf *, struct tdb *, int, int);
+int	esp_input(struct mbuf **, struct tdb *, int, int);
 int	esp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
 int	esp_output(struct mbuf *, struct tdb *, int, int);
 int	esp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
@@ -607,7 +607,7 @@ int	esp6_input(struct mbuf **, int *, int, int);
 int	ipcomp_attach(void);
 int	ipcomp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
 int	ipcomp_zeroize(struct tdb *);
-int	ipcomp_input(struct mbuf *, struct tdb *, int, int);
+int	ipcomp_input(struct mbuf **, struct tdb *, int, int);
 int	ipcomp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
 int	ipcomp_output(struct mbuf *, struct tdb *, int, int);
 int	ipcomp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
@@ -623,7 +623,7 @@ int	tcp_signature_tdb_attach(void);
 int	tcp_signature_tdb_init(struct tdb *, const struct xformsw *,
 	    struct ipsecinit *);
 int	tcp_signature_tdb_zeroize(struct tdb *);
-int	tcp_signature_tdb_input(struct mbuf *, struct tdb *, int, int);
+int	tcp_signature_tdb_input(struct mbuf **, struct tdb *, int, int);
 int	tcp_signature_tdb_output(struct mbuf *, struct tdb *, int, int);
 
 /* Replay window */
@@ -647,7 +647,7 @@ void	ipsp_ids_free(struct ipsec_ids *);
 void	ipsp_init(void);
 void	ipsec_init(void);
 int	ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
-int	ipsec_common_input(struct mbuf *, int, int, int, int, int);
+int	ipsec_common_input(struct mbuf **, int, int, int, int, int);
 int	ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
 int	ipsec_delete_policy(struct ipsec_policy *);
 ssize_t	ipsec_hdrsz(struct tdb *);