diff options
Diffstat (limited to 'freebsd/sys/netipsec/xform_ipcomp.c')
-rw-r--r-- | freebsd/sys/netipsec/xform_ipcomp.c | 43 |
1 files changed, 31 insertions, 12 deletions
diff --git a/freebsd/sys/netipsec/xform_ipcomp.c b/freebsd/sys/netipsec/xform_ipcomp.c index 2c0f961f..c4048cc9 100644 --- a/freebsd/sys/netipsec/xform_ipcomp.c +++ b/freebsd/sys/netipsec/xform_ipcomp.c @@ -39,6 +39,7 @@ #include <sys/mbuf.h> #include <rtems/bsd/sys/lock.h> #include <sys/mutex.h> +#include <sys/rwlock.h> #include <sys/socket.h> #include <sys/kernel.h> #include <sys/protosw.h> @@ -143,8 +144,29 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; + struct ipcomp *ipcomp; + caddr_t addr; int hlen = IPCOMP_HLENGTH; + /* + * Check that the next header of the IPComp is not IPComp again, before + * doing any real work. Given it is not possible to do double + * compression it means someone is playing tricks on us. + */ + if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) { + V_ipcompstat.ipcomps_hdrops++; /*XXX*/ + DPRINTF(("%s: m_pullup failed\n", __func__)); + return (ENOBUFS); + } + addr = (caddr_t) mtod(m, struct ip *) + skip; + ipcomp = (struct ipcomp *)addr; + if (ipcomp->comp_nxt == IPPROTO_IPCOMP) { + m_freem(m); + V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */ + DPRINTF(("%s: recursive compression detected\n", __func__)); + return (EINVAL); + } + /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { @@ -187,6 +209,8 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) tc->tc_proto = sav->sah->saidx.proto; tc->tc_protoff = protoff; tc->tc_skip = skip; + KEY_ADDREFSA(sav); + tc->tc_sav = sav; return crypto_dispatch(crp); } @@ -230,13 +254,8 @@ ipcomp_input_cb(struct cryptop *crp) mtag = (struct mtag *) tc->tc_ptr; m = (struct mbuf *) crp->crp_buf; - sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); - if (sav == NULL) { - V_ipcompstat.ipcomps_notdb++; - DPRINTF(("%s: SA expired while in crypto\n", __func__)); - error = ENOBUFS; /*XXX*/ - goto bad; - } + sav = tc->tc_sav; + IPSEC_ASSERT(sav != NULL, ("null SA!")); saidx = &sav->sah->saidx; IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET || @@ -250,7 +269,6 @@ ipcomp_input_cb(struct cryptop *crp) sav->tdb_cryptoid = crp->crp_sid; if (crp->crp_etype == EAGAIN) { - KEY_FREESAV(&sav); return crypto_dispatch(crp); } V_ipcompstat.ipcomps_noxform++; @@ -433,6 +451,8 @@ ipcomp_output( } tc->tc_isr = isr; + KEY_ADDREFSA(sav); + tc->tc_sav = sav; tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; @@ -473,14 +493,14 @@ ipcomp_output_cb(struct cryptop *crp) isr = tc->tc_isr; IPSECREQUEST_LOCK(isr); - sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); - if (sav == NULL) { + sav = tc->tc_sav; + /* With the isr lock released SA pointer can be updated. */ + if (sav != isr->sav) { V_ipcompstat.ipcomps_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; } - IPSEC_ASSERT(isr->sav == sav, ("SA changed\n")); /* Check for crypto errors */ if (crp->crp_etype) { @@ -489,7 +509,6 @@ ipcomp_output_cb(struct cryptop *crp) sav->tdb_cryptoid = crp->crp_sid; if (crp->crp_etype == EAGAIN) { - KEY_FREESAV(&sav); IPSECREQUEST_UNLOCK(isr); return crypto_dispatch(crp); } |