d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change ipsec_address() and ipsec_logsastr() functions to take two

Browse Source 
additional arguments - buffer and size of this buffer.

ipsec_address() is used to convert sockaddr structure to presentation
format. The IPv6 part of this function returns pointer to the on-stack
buffer and at the moment when it will be used by caller, it becames
invalid. IPv4 version uses 4 static buffers and returns pointer to
new buffer each time when it called. But anyway it is still possible
to get corrupted data when several threads will use this function.

ipsec_logsastr() is used to format string about SA entry. It also
uses static buffer and has the same problem with concurrent threads.

To fix these problems add the buffer pointer and size of this
buffer to arguments. Now each caller will pass buffer and its size
to these functions. Also convert all places where these functions
are used (except disabled code).

And now ipsec_address() uses inet_ntop() function from libkern.

PR:		185996
Differential Revision:	https://reviews.freebsd.org/D2321
Reviewed by:	gnn
Sponsored by:	Yandex LLC
This commit is contained in:
Andrey V. Elsukov 2015-04-18 16:58:33 +00:00
parent 1d3b268c04
commit 962ac6c727
7 changed files with 104 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
sys/netipsec/ipsec.c
View File

@ -1488,6 +1488,7 @@ ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
int
ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
{
char buf[128];
struct secreplay *replay;
u_int32_t diff;
int fr;
@ -1567,7 +1568,8 @@ ok:
return (1);
ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n",
__func__, replay->overflow, ipsec_logsastr(sav)));
__func__, replay->overflow,
ipsec_logsastr(sav, buf, sizeof(buf))));
}
replay->count++;
@ -1598,67 +1600,37 @@ vshiftl(unsigned char *bitmap, int nbit, int wsize)
}
}
#ifdef INET
/* Return a printable string for the IPv4 address. */
static char *
inet_ntoa4(struct in_addr ina)
{
static char buf[4][4 * sizeof "123" + 4];
unsigned char *ucp = (unsigned char *) &ina;
static int i = 3;
/* XXX-BZ Returns static buffer. */
i = (i + 1) % 4;
sprintf(buf[i], "%d.%d.%d.%d", ucp[0] & 0xff, ucp[1] & 0xff,
ucp[2] & 0xff, ucp[3] & 0xff);
return (buf[i]);
}
#endif
/* Return a printable string for the address. */
char *
ipsec_address(union sockaddr_union* sa)
char*
ipsec_address(union sockaddr_union* sa, char *buf, socklen_t size)
{
#ifdef INET6
char ip6buf[INET6_ADDRSTRLEN];
#endif
switch (sa->sa.sa_family) {
#ifdef INET
case AF_INET:
return (inet_ntoa4(sa->sin.sin_addr));
return (inet_ntop(AF_INET, &sa->sin.sin_addr, buf, size));
#endif /* INET */
#ifdef INET6
case AF_INET6:
return (ip6_sprintf(ip6buf, &sa->sin6.sin6_addr));
return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr, buf, size));
#endif /* INET6 */
default:
return ("(unknown address family)");
}
}
const char *
ipsec_logsastr(struct secasvar *sav)
char *
ipsec_logsastr(struct secasvar *sav, char *buf, size_t size)
{
static char buf[256];
char *p;
struct secasindex *saidx = &sav->sah->saidx;
char sbuf[INET6_ADDRSTRLEN], dbuf[INET6_ADDRSTRLEN];
IPSEC_ASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
("address family mismatch"));
p = buf;
snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
while (p && *p)
p++;
/* NB: only use ipsec_address on one address at a time. */
snprintf(p, sizeof (buf) - (p - buf), "src=%s ",
ipsec_address(&saidx->src));
while (p && *p)
p++;
snprintf(p, sizeof (buf) - (p - buf), "dst=%s)",
ipsec_address(&saidx->dst));
IPSEC_ASSERT(sav->sah->saidx.src.sa.sa_family ==
sav->sah->saidx.dst.sa.sa_family, ("address family mismatch"));
snprintf(buf, size, "SA(SPI=%08lx src=%s dst=%s)",
(u_long)ntohl(sav->spi),
ipsec_address(&sav->sah->saidx.src, sbuf, sizeof(sbuf)),
ipsec_address(&sav->sah->saidx.dst, dbuf, sizeof(dbuf)));
return (buf);
}

4
sys/netipsec/ipsec.h
View File

@ -327,8 +327,8 @@ extern size_t ipsec_hdrsiz(struct mbuf *, u_int, struct inpcb *);
extern size_t ipsec_hdrsiz_tcp(struct tcpcb *);
union sockaddr_union;
extern char * ipsec_address(union sockaddr_union* sa);
extern const char *ipsec_logsastr(struct secasvar *);
extern char *ipsec_address(union sockaddr_union *, char *, socklen_t);
extern char *ipsec_logsastr(struct secasvar *, char *, size_t);
extern void ipsec_dumpmbuf(struct mbuf *);

19
sys/netipsec/ipsec_input.c
View File

@ -121,6 +121,7 @@ static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
static int
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
{
char buf[INET6_ADDRSTRLEN];
union sockaddr_union dst_address;
struct secasvar *sav;
u_int32_t spi;
@ -215,8 +216,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
sav = KEY_ALLOCSA(&dst_address, sproto, spi);
if (sav == NULL) {
DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
__func__, ipsec_address(&dst_address, buf, sizeof(buf)),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, notdb);
m_freem(m);
return ENOENT;
@ -224,8 +225,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
if (sav->tdb_xform == NULL) {
DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
__func__, ipsec_address(&dst_address, buf, sizeof(buf)),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, noxform);
KEY_FREESAV(&sav);
m_freem(m);
@ -327,6 +328,7 @@ int
ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
int protoff)
{
char buf[INET6_ADDRSTRLEN];
int prot, af, sproto, isr_prot;
struct ip *ip;
struct m_tag *mtag;
@ -365,8 +367,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
*/
if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
DPRINTF(("%s: processing failed for SA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
__func__, ipsec_address(&sav->sah->saidx.dst,
buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, hdrops);
error = ENOBUFS;
goto bad;
@ -622,6 +624,7 @@ int
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
int protoff)
{
char buf[INET6_ADDRSTRLEN];
int prot, af, sproto;
struct ip6_hdr *ip6;
struct m_tag *mtag;
@ -658,8 +661,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
(m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
DPRINTF(("%s: processing failed for SA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
__func__, ipsec_address(&sav->sah->saidx.dst, buf,
sizeof(buf)), (u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, hdrops);
error = EACCES;

21
sys/netipsec/ipsec_output.c
View File

@ -529,6 +529,7 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
int
ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
{
char sbuf[INET6_ADDRSTRLEN], dbuf[INET6_ADDRSTRLEN];
union sockaddr_union *dst;
struct secasindex saidx;
struct secasvar *sav;
@ -579,9 +580,10 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
if (error != 0) {
DPRINTF(("%s: encapsulation for SA %s->%s "
"SPI 0x%08x failed with error %d\n", __func__,
ipsec_address(&sav->sah->saidx.src),
ipsec_address(&sav->sah->saidx.dst),
ntohl(sav->spi), error));
ipsec_address(&sav->sah->saidx.src, sbuf,
sizeof(sbuf)),
ipsec_address(&sav->sah->saidx.dst, dbuf,
sizeof(dbuf)), ntohl(sav->spi), error));
goto bad;
}
}
@ -650,11 +652,9 @@ in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, const struct in6_addr
* IPsec output logic for IPv6.
*/
int
ipsec6_process_packet(
struct mbuf *m,
struct ipsecrequest *isr
)
ipsec6_process_packet(struct mbuf *m, struct ipsecrequest *isr)
{
char sbuf[INET6_ADDRSTRLEN], dbuf[INET6_ADDRSTRLEN];
struct secasindex saidx;
struct secasvar *sav;
struct ip6_hdr *ip6;
@ -704,9 +704,10 @@ ipsec6_process_packet(
if (error != 0) {
DPRINTF(("%s: encapsulation for SA %s->%s "
"SPI 0x%08x failed with error %d\n", __func__,
ipsec_address(&sav->sah->saidx.src),
ipsec_address(&sav->sah->saidx.dst),
ntohl(sav->spi), error));
ipsec_address(&sav->sah->saidx.src, sbuf,
sizeof(sbuf)),
ipsec_address(&sav->sah->saidx.dst, dbuf,
sizeof(dbuf)), ntohl(sav->spi), error));
goto bad;
}
}

40
sys/netipsec/xform_ah.c
View File

@ -567,6 +567,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out)
static int
ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
char buf[128];
struct auth_hash *ahx;
struct tdb_crypto *tc;
struct newah *ah;
@ -596,7 +597,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
AHSTAT_INC(ahs_replay);
DPRINTF(("%s: packet replay failure: %s\n", __func__,
ipsec_logsastr(sav)));
ipsec_logsastr(sav, buf, sizeof(buf))));
m_freem(m);
return ENOBUFS;
}
@ -607,10 +608,10 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
authsize = AUTHSIZE(sav);
if (hl != authsize + rplen - sizeof (struct ah)) {
DPRINTF(("%s: bad authenticator length %u (expecting %lu)"
" for packet in SA %s/%08lx\n", __func__,
hl, (u_long) (authsize + rplen - sizeof (struct ah)),
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
" for packet in SA %s/%08lx\n", __func__, hl,
(u_long) (authsize + rplen - sizeof (struct ah)),
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_badauthl);
m_freem(m);
return EACCES;
@ -695,6 +696,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
ah_input_cb(struct cryptop *crp)
{
char buf[INET6_ADDRSTRLEN];
int rplen, error, skip, protoff;
unsigned char calc[AH_ALEN_MAX];
struct mbuf *m;
@ -764,7 +766,7 @@ ah_input_cb(struct cryptop *crp)
if (bcmp(ptr + skip + rplen, calc, authsize)) {
DPRINTF(("%s: authentication hash mismatch for packet "
"in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_badauth);
error = EACCES;
@ -803,8 +805,8 @@ ah_input_cb(struct cryptop *crp)
error = m_striphdr(m, skip, rplen + authsize);
if (error) {
DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_hdrops);
goto bad;
}
@ -843,13 +845,10 @@ bad:
* AH output routine, called by ipsec[46]_process_packet().
*/
static int
ah_output(
struct mbuf *m,
struct ipsecrequest *isr,
struct mbuf **mp,
int skip,
int protoff)
ah_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
int skip, int protoff)
{
char buf[INET6_ADDRSTRLEN];
struct secasvar *sav;
struct auth_hash *ahx;
struct cryptodesc *crda;
@ -887,7 +886,7 @@ ah_output(
DPRINTF(("%s: unknown/unsupported protocol family %u, "
"SA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_nopf);
error = EPFNOSUPPORT;
@ -897,7 +896,7 @@ ah_output(
if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) {
DPRINTF(("%s: packet in SA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi),
rplen + authsize + m->m_pkthdr.len, maxpacketsize));
AHSTAT_INC(ahs_toobig);
@ -911,7 +910,7 @@ ah_output(
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_hdrops);
error = ENOBUFS;
@ -924,7 +923,7 @@ ah_output(
DPRINTF(("%s: failed to inject %u byte AH header for SA "
"%s/%08lx\n", __func__,
rplen + authsize,
ipsec_address(&sav->sah->saidx.dst),
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_hdrops); /*XXX differs from openbsd */
error = ENOBUFS;
@ -951,9 +950,8 @@ ah_output(
if (sav->replay->count == ~0 &&
(sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n",
__func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
__func__, ipsec_address(&sav->sah->saidx.dst, buf,
sizeof(buf)), (u_long) ntohl(sav->spi)));
AHSTAT_INC(ahs_wrap);
error = EINVAL;
goto bad;

59
sys/netipsec/xform_esp.c
View File

@ -268,6 +268,7 @@ esp_zeroize(struct secasvar *sav)
static int
esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
{
char buf[128];
struct auth_hash *esph;
struct enc_xform *espx;
struct tdb_crypto *tc;
@ -326,9 +327,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if ((plen & (espx->blocksize - 1)) || (plen <= 0)) {
DPRINTF(("%s: payload of %d octets not a multiple of %d octets,"
" SA %s/%08lx\n", __func__,
plen, espx->blocksize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst,
buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
ESPSTAT_INC(esps_badilen);
m_freem(m);
return EINVAL;
@ -340,7 +340,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
if (esph != NULL && sav->replay != NULL &&
!ipsec_chkreplay(ntohl(esp->esp_seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav))); /*XXX*/
ipsec_logsastr(sav, buf, sizeof(buf)))); /*XXX*/
ESPSTAT_INC(esps_replay);
m_freem(m);
return ENOBUFS; /*XXX*/
@ -431,6 +431,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
esp_input_cb(struct cryptop *crp)
{
char buf[128];
u_int8_t lastthree[3], aalg[AH_HMAC_MAXHASHLEN];
int hlen, skip, protoff, error, alen;
struct mbuf *m;
@ -507,7 +508,7 @@ esp_input_cb(struct cryptop *crp)
if (bcmp(ptr, aalg, alen) != 0) {
DPRINTF(("%s: authentication hash mismatch for "
"packet in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
ESPSTAT_INC(esps_badauth);
error = EACCES;
@ -537,7 +538,7 @@ esp_input_cb(struct cryptop *crp)
sizeof (seq), (caddr_t) &seq);
if (ipsec_updatereplay(ntohl(seq), sav)) {
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_logsastr(sav)));
ipsec_logsastr(sav, buf, sizeof(buf))));
ESPSTAT_INC(esps_replay);
error = ENOBUFS;
goto bad;
@ -555,7 +556,7 @@ esp_input_cb(struct cryptop *crp)
if (error) {
ESPSTAT_INC(esps_hdrops);
DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
goto bad;
}
@ -567,10 +568,10 @@ esp_input_cb(struct cryptop *crp)
if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
ESPSTAT_INC(esps_badilen);
DPRINTF(("%s: invalid padding length %d for %u byte packet "
"in SA %s/%08lx\n", __func__,
lastthree[1], m->m_pkthdr.len - skip,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
"in SA %s/%08lx\n", __func__, lastthree[1],
m->m_pkthdr.len - skip,
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
error = EINVAL;
goto bad;
}
@ -580,9 +581,9 @@ esp_input_cb(struct cryptop *crp)
if (lastthree[1] != lastthree[0] && lastthree[1] != 0) {
ESPSTAT_INC(esps_badenc);
DPRINTF(("%s: decryption failed for packet in "
"SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
"SA %s/%08lx\n", __func__, ipsec_address(
&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
error = EINVAL;
goto bad;
}
@ -628,14 +629,10 @@ bad:
* ESP output routine, called by ipsec[46]_process_packet().
*/
static int
esp_output(
struct mbuf *m,
struct ipsecrequest *isr,
struct mbuf **mp,
int skip,
int protoff
)
esp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
int skip, int protoff)
{
char buf[INET6_ADDRSTRLEN];
struct enc_xform *espx;
struct auth_hash *esph;
int hlen, rlen, padding, blks, alen, i, roff;
@ -703,8 +700,8 @@ esp_output(
default:
DPRINTF(("%s: unknown/unsupported protocol "
"family %d, SA %s/%08lx\n", __func__,
saidx->dst.sa.sa_family, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
saidx->dst.sa.sa_family, ipsec_address(&saidx->dst,
buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
ESPSTAT_INC(esps_nopf);
error = EPFNOSUPPORT;
goto bad;
@ -712,7 +709,8 @@ esp_output(
if (skip + hlen + rlen + padding + alen > maxpacketsize) {
DPRINTF(("%s: packet in SA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi),
ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi),
skip + hlen + rlen + padding + alen, maxpacketsize));
ESPSTAT_INC(esps_toobig);
error = EMSGSIZE;
@ -725,7 +723,8 @@ esp_output(
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
ESPSTAT_INC(esps_hdrops);
error = ENOBUFS;
goto bad;
@ -735,8 +734,8 @@ esp_output(
mo = m_makespace(m, skip, hlen, &roff);
if (mo == NULL) {
DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n",
__func__, hlen, ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
__func__, hlen, ipsec_address(&saidx->dst, buf,
sizeof(buf)), (u_long) ntohl(sav->spi)));
ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */
error = ENOBUFS;
goto bad;
@ -765,7 +764,8 @@ esp_output(
pad = (u_char *) m_pad(m, padding + alen);
if (pad == NULL) {
DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
ipsec_address(&saidx->dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
m = NULL; /* NB: free'd by m_pad */
error = ENOBUFS;
goto bad;
@ -876,6 +876,7 @@ bad:
static int
esp_output_cb(struct cryptop *crp)
{
char buf[INET6_ADDRSTRLEN];
struct tdb_crypto *tc;
struct ipsecrequest *isr;
struct secasvar *sav;
@ -893,7 +894,7 @@ esp_output_cb(struct cryptop *crp)
if (sav != isr->sav) {
ESPSTAT_INC(esps_notdb);
DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n",
__func__, ipsec_address(&tc->tc_dst),
__func__, ipsec_address(&tc->tc_dst, buf, sizeof(buf)),
(u_long) ntohl(tc->tc_spi), tc->tc_proto));
error = ENOBUFS; /*XXX*/
goto bad;

32
sys/netipsec/xform_ipcomp.c
View File

@ -224,6 +224,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
static int
ipcomp_input_cb(struct cryptop *crp)
{
char buf[INET6_ADDRSTRLEN];
struct cryptodesc *crd;
struct tdb_crypto *tc;
int skip, protoff;
@ -298,8 +299,8 @@ ipcomp_input_cb(struct cryptop *crp)
if (error) {
IPCOMPSTAT_INC(ipcomps_hdrops);
DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
goto bad;
}
@ -340,14 +341,10 @@ bad:
* IPComp output routine, called by ipsec[46]_process_packet()
*/
static int
ipcomp_output(
struct mbuf *m,
struct ipsecrequest *isr,
struct mbuf **mp,
int skip,
int protoff
)
ipcomp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
int skip, int protoff)
{
char buf[INET6_ADDRSTRLEN];
struct secasvar *sav;
struct comp_algo *ipcompx;
int error, ralen, maxpacketsize;
@ -391,7 +388,7 @@ ipcomp_output(
DPRINTF(("%s: unknown/unsupported protocol family %d, "
"IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi)));
error = EPFNOSUPPORT;
goto bad;
@ -400,7 +397,7 @@ ipcomp_output(
IPCOMPSTAT_INC(ipcomps_toobig);
DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long) ntohl(sav->spi),
ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
error = EMSGSIZE;
@ -414,8 +411,8 @@ ipcomp_output(
if (m == NULL) {
IPCOMPSTAT_INC(ipcomps_hdrops);
DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
__func__, ipsec_address(&sav->sah->saidx.dst, buf,
sizeof(buf)), (u_long) ntohl(sav->spi)));
error = ENOBUFS;
goto bad;
}
@ -482,6 +479,7 @@ bad:
static int
ipcomp_output_cb(struct cryptop *crp)
{
char buf[INET6_ADDRSTRLEN];
struct tdb_crypto *tc;
struct ipsecrequest *isr;
struct secasvar *sav;
@ -539,8 +537,8 @@ ipcomp_output_cb(struct cryptop *crp)
if (mo == NULL) {
IPCOMPSTAT_INC(ipcomps_wrap);
DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
__func__, ipsec_address(&sav->sah->saidx.dst, buf,
sizeof(buf)), (u_long) ntohl(sav->spi)));
error = ENOBUFS;
goto bad;
}
@ -586,8 +584,8 @@ ipcomp_output_cb(struct cryptop *crp)
DPRINTF(("%s: unknown/unsupported protocol "
"family %d, IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
ipsec_address(&sav->sah->saidx.dst, buf,
sizeof(buf)), (u_long) ntohl(sav->spi)));
error = EPFNOSUPPORT;
goto bad;
}