From 63133a5098f29b03c7e694178b32509cbfa3766d Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Thu, 11 Nov 2021 18:08:19 +0000 Subject: Do not call ip_deliver() recursively from IPsec. As there is no crypto task anymore, it is possible to return the next protocol. Then ip_deliver() will walk the header chain in its loop. IPsec bridge(4) tested by jan@ OK mvs@ tobhe@ jan@ --- sys/netinet/ip_ah.c | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) (limited to 'sys/netinet/ip_ah.c') diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 140065807c4..fc423f62982 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.165 2021/10/25 09:47:02 tobhe Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.166 2021/11/11 18:08:18 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -563,21 +563,18 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_wrap); - error = ENOBUFS; goto drop; case 2: DPRINTF("old packet received in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = ENOBUFS; goto drop; case 3: DPRINTF("duplicate packet received in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = ENOBUFS; goto drop; default: DPRINTF("bogus value from checkreplaywindow() " @@ -585,7 +582,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = ENOBUFS; goto drop; } } @@ -597,7 +593,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_badauthl); - error = EACCES; goto drop; } if (skip + ahx->authsize + rplen > m->m_pkthdr.len) { @@ -607,7 +602,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_badauthl); - error = EACCES; goto drop; } @@ -622,7 +616,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes) { pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); - error = ENXIO; goto drop; } @@ -638,7 +631,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) if (crp == NULL) { DPRINTF("failed to acquire crypto descriptors"); ahstat_inc(ahs_crypto); - error = ENOBUFS; goto drop; } @@ -664,7 +656,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) if (ptr == NULL) { DPRINTF("failed to allocate buffer"); ahstat_inc(ahs_crypto); - error = ENOBUFS; goto drop; } @@ -720,7 +711,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_badauth); - error = -1; goto drop; } @@ -750,21 +740,18 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_wrap); - error = -1; goto drop; case 2: DPRINTF("old packet received in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = -1; goto drop; case 3: DPRINTF("duplicate packet received in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = -1; goto drop; default: DPRINTF("bogus value from checkreplaywindow() " @@ -772,7 +759,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_replay); - error = -1; goto drop; } } @@ -784,7 +770,6 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), ntohl(tdb->tdb_spi)); ahstat_inc(ahs_hdrops); - error = -1; goto drop; } @@ -863,7 +848,7 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) free(ptr, M_XDATA, 0); m_freemp(mp); crypto_freereq(crp); - return error; + return IPPROTO_DONE; } /* -- cgit v1.2.3