From afc0caa2f2f245982c85c9a367868e151de532cd Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 2 Apr 2003 20:09:27 +0000 Subject: o sanity check mbuf earlier. o return errno, not NULL. o add some missing error values o proper crypto_freereq() in ip_ipcomp.c From Patrick Latifi; OK angelos@ --- sys/netinet/ip_ah.c | 44 +++++++++++++++++------------------ sys/netinet/ip_esp.c | 43 +++++++++++++++++----------------- sys/netinet/ip_ipcomp.c | 62 +++++++++++++++++++++++++++---------------------- 3 files changed, 78 insertions(+), 71 deletions(-) (limited to 'sys') diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 9f8d0907f94..09df206fc98 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.73 2003/03/31 20:52:06 millert Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.74 2003/04/02 20:09:26 millert Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -704,7 +704,17 @@ ah_input_cb(void *op) skip = tc->tc_skip; protoff = tc->tc_protoff; mtag = (struct m_tag *) tc->tc_ptr; + m = (struct mbuf *) crp->crp_buf; + if (m == NULL) { + /* Shouldn't happen... */ + FREE(tc, M_XDATA); + crypto_freereq(crp); + ahstat.ahs_crypto++; + DPRINTF(("ah_input_cb(): bogus returned buffer from " + "crypto\n")); + return (EINVAL); + } s = spltdb(); @@ -738,16 +748,6 @@ ah_input_cb(void *op) crp = NULL; } - /* Shouldn't happen... */ - if (m == NULL) { - FREE(tc, M_XDATA); - ahstat.ahs_crypto++; - DPRINTF(("ah_input_cb(): bogus returned buffer from " - "crypto\n")); - error = EINVAL; - goto baddone; - } - if (!(tdb->tdb_flags & TDBF_NOREPLAY)) rplen = AH_FLENGTH + sizeof(u_int32_t); else @@ -969,7 +969,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); m_freem(m); ahstat.ahs_wrap++; - return NULL; + return EINVAL; } if (!(tdb->tdb_flags & TDBF_NOREPLAY)) @@ -1227,7 +1227,17 @@ ah_output_cb(void *op) skip = tc->tc_skip; protoff = tc->tc_protoff; ptr = (caddr_t) (tc + 1); + m = (struct mbuf *) crp->crp_buf; + if (m == NULL) { + /* Shouldn't happen... */ + FREE(tc, M_XDATA); + crypto_freereq(crp); + ahstat.ahs_crypto++; + DPRINTF(("ah_output_cb(): bogus returned buffer from " + "crypto\n")); + return (EINVAL); + } s = spltdb(); @@ -1256,16 +1266,6 @@ ah_output_cb(void *op) goto baddone; } - /* Shouldn't happen... */ - if (m == NULL) { - FREE(tc, M_XDATA); - ahstat.ahs_crypto++; - DPRINTF(("ah_output_cb(): bogus returned buffer from " - "crypto\n")); - error = EINVAL; - goto baddone; - } - /* * Copy original headers (with the new protocol number) back * in place. diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 0f584b6ceea..828cec43360 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.81 2003/03/31 20:52:06 millert Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.82 2003/04/02 20:09:26 millert Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -471,7 +471,16 @@ esp_input_cb(void *op) skip = tc->tc_skip; protoff = tc->tc_protoff; mtag = (struct m_tag *) tc->tc_ptr; + m = (struct mbuf *) crp->crp_buf; + if (m == NULL) { + /* Shouldn't happen... */ + FREE(tc, M_XDATA); + crypto_freereq(crp); + espstat.esps_crypto++; + DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n")); + return (EINVAL); + } s = spltdb(); @@ -502,15 +511,6 @@ esp_input_cb(void *op) goto baddone; } - /* Shouldn't happen... */ - if (m == NULL) { - FREE(tc, M_XDATA); - espstat.esps_crypto++; - DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n")); - error = EINVAL; - goto baddone; - } - /* If authentication was performed, check now. */ if (esph != NULL) { /* @@ -537,7 +537,6 @@ esp_input_cb(void *op) /* Remove trailing authenticator */ m_adj(m, -(esph->authsize)); } - FREE(tc, M_XDATA); /* Replay window checking, if appropriate */ @@ -976,7 +975,18 @@ esp_output_cb(void *op) int error, s; tc = (struct tdb_crypto *) crp->crp_opaque; + m = (struct mbuf *) crp->crp_buf; + if (m == NULL) { + /* Shouldn't happen... */ + FREE(tc, M_XDATA); + crypto_freereq(crp); + espstat.esps_crypto++; + DPRINTF(("esp_output_cb(): bogus returned buffer from " + "crypto\n")); + return (EINVAL); + } + s = spltdb(); @@ -1004,17 +1014,8 @@ esp_output_cb(void *op) crp->crp_etype)); error = crp->crp_etype; goto baddone; - } else - FREE(tc, M_XDATA); - - /* Shouldn't happen... */ - if (m == NULL) { - espstat.esps_crypto++; - DPRINTF(("esp_output_cb(): bogus returned buffer from " - "crypto\n")); - error = EINVAL; - goto baddone; } + FREE(tc, M_XDATA); /* Release crypto descriptors. */ crypto_freereq(crp); diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index f3ce1e56988..9530b0efc0a 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.13 2003/03/31 20:52:06 millert Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.14 2003/04/02 20:09:26 millert Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -226,7 +226,16 @@ ipcomp_input_cb(op) tc = (struct tdb_crypto *) crp->crp_opaque; skip = tc->tc_skip; protoff = tc->tc_protoff; + m = (struct mbuf *) crp->crp_buf; + if (m == NULL) { + /* Shouldn't happen... */ + FREE(tc, M_XDATA); + crypto_freereq(crp); + ipcompstat.ipcomps_crypto++; + DPRINTF(("ipcomp_input_cb(): bogus returned buffer from crypto\n")); + return (EINVAL); + } s = spltdb(); @@ -250,9 +259,8 @@ ipcomp_input_cb(op) FREE(tc, M_XDATA); pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); tdb_delete(tdb); - splx(s); - m_freem(m); - return ENXIO; + error = ENXIO; + goto baddone; } /* Notify on soft expiration */ if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && @@ -279,34 +287,25 @@ ipcomp_input_cb(op) } FREE(tc, M_XDATA); - /* Shouldn't happen... */ - if (m == NULL) { - ipcompstat.ipcomps_crypto++; - DPRINTF(("ipcomp_input_cb(): bogus returned buffer from crypto\n")); - error = EINVAL; - goto baddone; - } - /* Release the crypto descriptors */ - crypto_freereq(crp); - /* Length of data after processing */ clen = crp->crp_olen; /* In case it's not done already, adjust the size of the mbuf chain */ m->m_pkthdr.len = clen + hlen + skip; - if ((m->m_len < skip + hlen) && (m = m_pullup(m, skip + hlen)) == 0) + if ((m->m_len < skip + hlen) && (m = m_pullup(m, skip + hlen)) == 0) { + error = ENOBUFS; goto baddone; + } /* Find the beginning of the IPCOMP header */ m1 = m_getptr(m, skip, &roff); if (m1 == NULL) { ipcompstat.ipcomps_hdrops++; - splx(s); DPRINTF(("ipcomp_input_cb(): bad mbuf chain, IPCA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi))); - m_freem(m); - return EINVAL; + error = EINVAL; + goto baddone; } /* Keep the next protocol field */ addr = (caddr_t) mtod(m, struct ip *) + skip; @@ -349,6 +348,9 @@ ipcomp_input_cb(op) m->m_pkthdr.len -= hlen; } + /* Release the crypto descriptors */ + crypto_freereq(crp); + /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof(u_int8_t), (u_int8_t *) & nproto); @@ -362,6 +364,7 @@ baddone: if (m) m_freem(m); + crypto_freereq(crp); return error; @@ -627,10 +630,20 @@ ipcomp_output_cb(cp) #endif tc = (struct tdb_crypto *) crp->crp_opaque; - m = (struct mbuf *) crp->crp_buf; skip = tc->tc_skip; rlen = crp->crp_ilen - skip; + m = (struct mbuf *) crp->crp_buf; + if (m == NULL) { + /* Shouldn't happen... */ + FREE(tc, M_XDATA); + crypto_freereq(crp); + ipcompstat.ipcomps_crypto++; + DPRINTF(("ipcomp_output_cb(): bogus returned buffer from " + "crypto\n")); + return (EINVAL); + } + s = spltdb(); tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto); @@ -638,6 +651,7 @@ ipcomp_output_cb(cp) FREE(tc, M_XDATA); ipcompstat.ipcomps_notdb++; DPRINTF(("ipcomp_output_cb(): TDB expired while in crypto\n")); + error = EPERM; goto baddone; } @@ -659,15 +673,6 @@ ipcomp_output_cb(cp) } FREE(tc, M_XDATA); - /* Shouldn't happen... */ - if (m == NULL) { - ipcompstat.ipcomps_crypto++; - DPRINTF(("ipcomp_output_cb(): bogus returned buffer from " - "crypto\n")); - error = EINVAL; - goto baddone; - } - /* Check sizes. */ if (rlen < crp->crp_olen) { /* Compression was useless, we have lost time. */ @@ -715,6 +720,7 @@ ipcomp_output_cb(cp) baddone: splx(s); + if (m) m_freem(m); -- cgit v1.2.3