Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec Make sure the mbufs in the input path (only the...
details: https://anonhg.NetBSD.org/src/rev/55dd59c7bc17
branches: trunk
changeset: 773054:55dd59c7bc17
user: drochner <drochner%NetBSD.org@localhost>
date: Wed Jan 25 20:31:23 2012 +0000
description:
Make sure the mbufs in the input path (only the parts which we are going
to modify in the AH case) are writable/non-shared.
This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient
patch from that time by a radical solution.
(The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c,
so it needs a network driver modification to reproduce it.)
Being here, clarify a bit of ipcomp -- uncompression is done in-place,
the header must be removed explicitly.
diffstat:
sys/netipsec/xform_ah.c | 18 +++++++++++++-----
sys/netipsec/xform_esp.c | 26 ++++++++++++++------------
sys/netipsec/xform_ipcomp.c | 19 +++++++++++++++----
3 files changed, 42 insertions(+), 21 deletions(-)
diffs (160 lines):
diff -r 057db4bc3b66 -r 55dd59c7bc17 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c Wed Jan 25 20:18:04 2012 +0000
+++ b/sys/netipsec/xform_ah.c Wed Jan 25 20:31:23 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.35 2012/01/24 21:57:03 drochner Exp $ */
+/* $NetBSD: xform_ah.c,v 1.36 2012/01/25 20:31:23 drochner Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.35 2012/01/24 21:57:03 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.36 2012/01/25 20:31:23 drochner Exp $");
#include "opt_inet.h"
#ifdef __FreeBSD__
@@ -641,7 +641,7 @@
struct tdb_crypto *tc;
struct m_tag *mtag;
struct newah *ah;
- int hl, rplen, authsize;
+ int hl, rplen, authsize, error;
struct cryptodesc *crda;
struct cryptop *crp;
@@ -746,10 +746,18 @@
return ENOBUFS;
}
+ error = m_makewritable(&m, 0, skip + rplen + authsize, M_NOWAIT);
+ if (error) {
+ m_freem(m);
+ DPRINTF(("ah_input: failed to copyback_cow\n"));
+ AH_STATINC(AH_STAT_HDROPS);
+ free(tc, M_XDATA);
+ crypto_freereq(crp);
+ return error;
+ }
+
/* Only save information if crypto processing is needed. */
if (mtag == NULL) {
- int error;
-
/*
* Save the authenticator, the skipped portion of the packet,
* and the AH header.
diff -r 057db4bc3b66 -r 55dd59c7bc17 sys/netipsec/xform_esp.c
--- a/sys/netipsec/xform_esp.c Wed Jan 25 20:18:04 2012 +0000
+++ b/sys/netipsec/xform_esp.c Wed Jan 25 20:31:23 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.39 2011/08/31 18:31:04 plunky Exp $ */
+/* $NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.39 2011/08/31 18:31:04 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.40 2012/01/25 20:31:23 drochner Exp $");
#include "opt_inet.h"
#ifdef __FreeBSD__
@@ -297,7 +297,7 @@
const struct enc_xform *espx;
struct tdb_ident *tdbi;
struct tdb_crypto *tc;
- int plen, alen, hlen;
+ int plen, alen, hlen, error;
struct m_tag *mtag;
struct newesp *esp;
@@ -398,6 +398,16 @@
return ENOBUFS;
}
+ error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT);
+ if (error) {
+ m_freem(m);
+ free(tc, M_XDATA);
+ crypto_freereq(crp);
+ DPRINTF(("esp_input: m_makewritable failed\n"));
+ ESP_STATINC(ESP_STAT_CRYPTO);
+ return error;
+ }
+
tc->tc_ptr = mtag;
if (esph) {
@@ -681,15 +691,7 @@
m_adj(m, -(lastthree[1] + 2));
/* Restore the Next Protocol field */
- m = m_copyback_cow(m, protoff, sizeof (u_int8_t), lastthree + 2,
- M_DONTWAIT);
-
- if (m == NULL) {
- ESP_STATINC(ESP_STAT_CRYPTO);
- DPRINTF(("esp_input_cb: failed to allocate mbuf\n"));
- error = ENOBUFS;
- goto bad;
- }
+ m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
diff -r 057db4bc3b66 -r 55dd59c7bc17 sys/netipsec/xform_ipcomp.c
--- a/sys/netipsec/xform_ipcomp.c Wed Jan 25 20:18:04 2012 +0000
+++ b/sys/netipsec/xform_ipcomp.c Wed Jan 25 20:31:23 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipcomp.c,v 1.28 2011/05/06 21:48:46 drochner Exp $ */
+/* $NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $ */
/* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.28 2011/05/06 21:48:46 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.29 2012/01/25 20:31:23 drochner Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#include "opt_inet.h"
@@ -152,7 +152,7 @@
struct tdb_crypto *tc;
struct cryptodesc *crdc;
struct cryptop *crp;
- int hlen = IPCOMP_HLENGTH;
+ int error, hlen = IPCOMP_HLENGTH;
IPSEC_SPLASSERT_SOFTNET("ipcomp_input");
@@ -173,11 +173,22 @@
IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
return ENOBUFS;
}
+
+ error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT);
+ if (error) {
+ DPRINTF(("ipcomp_input: m_makewritable failed\n"));
+ m_freem(m);
+ free(tc, M_XDATA);
+ crypto_freereq(crp);
+ IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
+ return error;
+ }
+
crdc = crp->crp_desc;
crdc->crd_skip = skip + hlen;
crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
- crdc->crd_inject = skip;
+ crdc->crd_inject = 0; /* unused */
tc->tc_ptr = 0;
Home |
Main Index |
Thread Index |
Old Index