ip output: ensure that mbufs are mapped if ipsec is enabled
Ipsec needs access to packet headers to determine if a policy is applicable. It seems that typically IP headers are mapped, but the code is arguably needs to check this before blindly accessing them. Then, operations like m_unshare() and m_makespace() are not yet ready for unmapped mbufs. Ensure that the packet is mapped before calling into IPSEC_OUTPUT(). PR: 272616 Reviewed by: jhb, markj Sponsored by: NVidia networking MFC after: 1 week Differential revision: https://reviews.freebsd.org/D41112
This commit is contained in:
parent
ff4633d9f8
commit
bc310a95c5
@ -671,6 +671,12 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
|
||||
sendit:
|
||||
#if defined(IPSEC) || defined(IPSEC_SUPPORT)
|
||||
if (IPSEC_ENABLED(ipv4)) {
|
||||
m = mb_unmapped_to_ext(m);
|
||||
if (m == NULL) {
|
||||
IPSTAT_INC(ips_odropped);
|
||||
error = ENOBUFS;
|
||||
goto bad;
|
||||
}
|
||||
if ((error = IPSEC_OUTPUT(ipv4, m, inp)) != 0) {
|
||||
if (error == EINPROGRESS)
|
||||
error = 0;
|
||||
|
@ -461,6 +461,12 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
|
||||
* XXX: need scope argument.
|
||||
*/
|
||||
if (IPSEC_ENABLED(ipv6)) {
|
||||
m = mb_unmapped_to_ext(m);
|
||||
if (m == NULL) {
|
||||
IP6STAT_INC(ip6s_odropped);
|
||||
error = ENOBUFS;
|
||||
goto bad;
|
||||
}
|
||||
if ((error = IPSEC_OUTPUT(ipv6, m, inp)) != 0) {
|
||||
if (error == EINPROGRESS)
|
||||
error = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user