3 files changed, 31 insertions, 13 deletions

diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index de6f91aee0d..a757bf04d8e 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.207 2020/08/28 12:43:59 tobhe Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.208 2020/12/14 20:20:06 tobhe Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -1339,13 +1339,19 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 			    newsa->tdb_ids_swapped,
 			    headers[SADB_EXT_IDENTITY_SRC],
 			    headers[SADB_EXT_IDENTITY_DST]);
-			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
+			if ((rval = import_flow(&newsa->tdb_filter,
+			    &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
 			    headers[SADB_X_EXT_DST_FLOW],
 			    headers[SADB_X_EXT_DST_MASK],
 			    headers[SADB_X_EXT_PROTOCOL],
-			    headers[SADB_X_EXT_FLOW_TYPE]);
+			    headers[SADB_X_EXT_FLOW_TYPE]))) {
+				tdb_free(freeme);
+				freeme = NULL;
+				NET_UNLOCK();
+				goto ret;
+			}
 			import_udpencap(newsa, headers[SADB_X_EXT_UDPENCAP]);
 			import_rdomain(newsa, headers[SADB_X_EXT_RDOMAIN]);
 #if NPF > 0
@@ -1511,13 +1517,19 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 			    headers[SADB_EXT_IDENTITY_SRC],
 			    headers[SADB_EXT_IDENTITY_DST]);
 
-			import_flow(&newsa->tdb_filter, &newsa->tdb_filtermask,
+			if ((rval = import_flow(&newsa->tdb_filter,
+			    &newsa->tdb_filtermask,
 			    headers[SADB_X_EXT_SRC_FLOW],
 			    headers[SADB_X_EXT_SRC_MASK],
 			    headers[SADB_X_EXT_DST_FLOW],
 			    headers[SADB_X_EXT_DST_MASK],
 			    headers[SADB_X_EXT_PROTOCOL],
-			    headers[SADB_X_EXT_FLOW_TYPE]);
+			    headers[SADB_X_EXT_FLOW_TYPE]))) {
+				tdb_free(freeme);
+				freeme = NULL;
+				NET_UNLOCK();
+				goto ret;
+			}
 			import_udpencap(newsa, headers[SADB_X_EXT_UDPENCAP]);
 			import_rdomain(newsa, headers[SADB_X_EXT_RDOMAIN]);
 #if NPF > 0
@@ -1830,10 +1842,14 @@ pfkeyv2_send(struct socket *so, void *message, int len)
 		else
 			ssrc = NULL;
 
-		import_flow(&encapdst, &encapnetmask,
+		if ((rval = import_flow(&encapdst, &encapnetmask,
 		    headers[SADB_X_EXT_SRC_FLOW], headers[SADB_X_EXT_SRC_MASK],
 		    headers[SADB_X_EXT_DST_FLOW], headers[SADB_X_EXT_DST_MASK],
-		    headers[SADB_X_EXT_PROTOCOL], headers[SADB_X_EXT_FLOW_TYPE]);
+		    headers[SADB_X_EXT_PROTOCOL],
+		    headers[SADB_X_EXT_FLOW_TYPE]))) {
+			NET_UNLOCK();
+			goto ret;
+		}
 
 		/* Determine whether the exact same SPD entry already exists. */
 		if ((rn = rn_match(&encapdst, rnh)) != NULL) {
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index 6bf38870029..bef399018a9 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.h,v 1.85 2020/11/05 19:28:27 phessler Exp $ */
+/* $OpenBSD: pfkeyv2.h,v 1.86 2020/12/14 20:20:06 tobhe Exp $ */
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) January 1998
  *
@@ -429,7 +429,7 @@ void import_identities(struct ipsec_ids **, int, struct sadb_ident *,
 void import_key(struct ipsecinit *, struct sadb_key *, int);
 void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
 void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
-void import_flow(struct sockaddr_encap *, struct sockaddr_encap *,
+int import_flow(struct sockaddr_encap *, struct sockaddr_encap *,
     struct sadb_address *, struct sadb_address *, struct sadb_address *,
     struct sadb_address *, struct sadb_protocol *, struct sadb_protocol *);
 void import_udpencap(struct tdb *, struct sadb_x_udpencap *);
diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c
index 1d79e925c6c..f4fbf0f681b 100644
--- a/sys/net/pfkeyv2_convert.c
+++ b/sys/net/pfkeyv2_convert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_convert.c,v 1.69 2020/11/05 19:28:28 phessler Exp $	*/
+/*	$OpenBSD: pfkeyv2_convert.c,v 1.70 2020/12/14 20:20:06 tobhe Exp $	*/
 /*
  * The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
  *
@@ -422,7 +422,7 @@ export_lifetime(void **p, struct tdb *tdb, int type)
  * Import flow information to two struct sockaddr_encap's. Either
  * all or none of the address arguments are NULL.
  */
-void
+int
 import_flow(struct sockaddr_encap *flow, struct sockaddr_encap *flowmask,
     struct sadb_address *ssrc, struct sadb_address *ssrcmask,
     struct sadb_address *ddst, struct sadb_address *ddstmask,
@@ -435,7 +435,7 @@ import_flow(struct sockaddr_encap *flow, struct sockaddr_encap *flowmask,
 	union sockaddr_union *dstmask = (union sockaddr_union *)(ddstmask + 1);
 
 	if (ssrc == NULL)
-		return; /* There wasn't any information to begin with. */
+		return 0; /* There wasn't any information to begin with. */
 
 	bzero(flow, sizeof(*flow));
 	bzero(flowmask, sizeof(*flowmask));
@@ -450,7 +450,7 @@ import_flow(struct sockaddr_encap *flow, struct sockaddr_encap *flowmask,
 	if ((src->sa.sa_family != dst->sa.sa_family) ||
 	    (src->sa.sa_family != srcmask->sa.sa_family) ||
 	    (src->sa.sa_family != dstmask->sa.sa_family))
-		return;
+		return EINVAL;
 
 	/*
 	 * We set these as an indication that tdb_filter/tdb_filtermask are
@@ -513,6 +513,8 @@ import_flow(struct sockaddr_encap *flow, struct sockaddr_encap *flowmask,
 		break;
 #endif /* INET6 */
 	}
+
+	return 0;
 }
 
 /*