summaryrefslogtreecommitdiff
path: root/sys/netinet/ipsec_input.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/ipsec_input.c')
-rw-r--r--sys/netinet/ipsec_input.c51
1 files changed, 27 insertions, 24 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 6f0a5fad5f2..13b33f3f947 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec_input.c,v 1.161 2017/11/20 10:35:24 mpi Exp $ */
+/* $OpenBSD: ipsec_input.c,v 1.162 2018/05/12 21:24:43 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -193,24 +193,24 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
default:
DPRINTF(("%s: unsupported protocol family %d\n",
__func__, af));
- m_freem(m);
IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf);
- return EPFNOSUPPORT;
+ error = EPFNOSUPPORT;
+ goto drop;
}
return 0;
}
if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) {
- m_freem(m);
- ipcompstat_inc(ipcomps_pdrops);
DPRINTF(("%s: repeated decompression\n", __func__));
- return EINVAL;
+ ipcompstat_inc(ipcomps_pdrops);
+ error = EINVAL;
+ goto drop;
}
if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) {
- m_freem(m);
- IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
DPRINTF(("%s: packet too small\n", __func__));
- return EINVAL;
+ IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops);
+ error = EINVAL;
+ goto drop;
}
/* Retrieve the SPI from the relevant IPsec header */
@@ -262,9 +262,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
default:
DPRINTF(("%s: unsupported protocol family %d\n", __func__, af));
- m_freem(m);
IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf);
- return EPFNOSUPPORT;
+ error = EPFNOSUPPORT;
+ goto drop;
}
tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid),
@@ -273,45 +273,45 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
DPRINTF(("%s: could not find SA for packet to %s, spi %08x\n",
__func__,
ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi)));
- m_freem(m);
IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb);
- return ENOENT;
+ error = ENOENT;
+ goto drop;
}
if (tdbp->tdb_flags & TDBF_INVALID) {
DPRINTF(("%s: attempted to use invalid SA %s/%08x/%u\n",
__func__, ipsp_address(&dst_address, buf,
sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
- m_freem(m);
IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid);
- return EINVAL;
+ error = EINVAL;
+ goto drop;
}
if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) {
DPRINTF(("%s: attempted to use non-udpencap SA %s/%08x/%u\n",
__func__, ipsp_address(&dst_address, buf,
sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
- m_freem(m);
espstat_inc(esps_udpinval);
- return EINVAL;
+ error = EINVAL;
+ goto drop;
}
if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) {
DPRINTF(("%s: attempted to use udpencap SA %s/%08x/%u\n",
__func__, ipsp_address(&dst_address, buf,
sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
- m_freem(m);
espstat_inc(esps_udpneeded);
- return EINVAL;
+ error = EINVAL;
+ goto drop;
}
if (tdbp->tdb_xform == NULL) {
DPRINTF(("%s: attempted to use uninitialized SA %s/%08x/%u\n",
__func__, ipsp_address(&dst_address, buf,
sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
- m_freem(m);
IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform);
- return ENXIO;
+ error = ENXIO;
+ goto drop;
}
if (sproto != IPPROTO_IPCOMP) {
@@ -321,10 +321,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
__func__,
tdbp->tdb_tap, ipsp_address(&dst_address, buf,
sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
- m_freem(m);
-
IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops);
- return EACCES;
+ error = EACCES;
+ goto drop;
}
/* XXX This conflicts with the scoped nature of IPv6 */
@@ -348,6 +347,10 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
*/
error = (*(tdbp->tdb_xform->xf_input))(m, tdbp, skip, protoff);
return error;
+
+ drop:
+ m_freem(m);
+ return error;
}
/*