diff options
Diffstat (limited to 'sys/netinet/ipsec_input.c')
-rw-r--r-- | sys/netinet/ipsec_input.c | 51 |
1 files changed, 27 insertions, 24 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 6f0a5fad5f2..13b33f3f947 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.161 2017/11/20 10:35:24 mpi Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.162 2018/05/12 21:24:43 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -193,24 +193,24 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, default: DPRINTF(("%s: unsupported protocol family %d\n", __func__, af)); - m_freem(m); IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); - return EPFNOSUPPORT; + error = EPFNOSUPPORT; + goto drop; } return 0; } if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { - m_freem(m); - ipcompstat_inc(ipcomps_pdrops); DPRINTF(("%s: repeated decompression\n", __func__)); - return EINVAL; + ipcompstat_inc(ipcomps_pdrops); + error = EINVAL; + goto drop; } if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { - m_freem(m); - IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); DPRINTF(("%s: packet too small\n", __func__)); - return EINVAL; + IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); + error = EINVAL; + goto drop; } /* Retrieve the SPI from the relevant IPsec header */ @@ -262,9 +262,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, default: DPRINTF(("%s: unsupported protocol family %d\n", __func__, af)); - m_freem(m); IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); - return EPFNOSUPPORT; + error = EPFNOSUPPORT; + goto drop; } tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), @@ -273,45 +273,45 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, DPRINTF(("%s: could not find SA for packet to %s, spi %08x\n", __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi))); - m_freem(m); IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); - return ENOENT; + error = ENOENT; + goto drop; } if (tdbp->tdb_flags & TDBF_INVALID) { DPRINTF(("%s: attempted to use invalid SA %s/%08x/%u\n", __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); - m_freem(m); IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); - return EINVAL; + error = EINVAL; + goto drop; } if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { DPRINTF(("%s: attempted to use non-udpencap SA %s/%08x/%u\n", __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); - m_freem(m); espstat_inc(esps_udpinval); - return EINVAL; + error = EINVAL; + goto drop; } if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { DPRINTF(("%s: attempted to use udpencap SA %s/%08x/%u\n", __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); - m_freem(m); espstat_inc(esps_udpneeded); - return EINVAL; + error = EINVAL; + goto drop; } if (tdbp->tdb_xform == NULL) { DPRINTF(("%s: attempted to use uninitialized SA %s/%08x/%u\n", __func__, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); - m_freem(m); IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); - return ENXIO; + error = ENXIO; + goto drop; } if (sproto != IPPROTO_IPCOMP) { @@ -321,10 +321,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, __func__, tdbp->tdb_tap, ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); - m_freem(m); - IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops); - return EACCES; + error = EACCES; + goto drop; } /* XXX This conflicts with the scoped nature of IPv6 */ @@ -348,6 +347,10 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, */ error = (*(tdbp->tdb_xform->xf_input))(m, tdbp, skip, protoff); return error; + + drop: + m_freem(m); + return error; } /* |