d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has

Browse Source 
to happen before the call to m_cat().
- correct signedness mixups.
- remove variable that is only assigned too but not referenced.

Obtained from:	KAME
This commit is contained in:
Hajimu UMEMOTO 2003-11-15 06:18:09 +00:00
parent c36bc21aa3
commit fc8f306fc1
4 changed files with 14 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/netinet6/ah_core.c
View File

@ -1,5 +1,5 @@
/* $FreeBSD$ */ /* $FreeBSD$ */
/* $KAME: ah_core.c,v 1.44 2001/03/12 11:24:39 itojun Exp $ */ /* $KAME: ah_core.c,v 1.59 2003/07/25 10:17:14 itojun Exp $ */
/* /*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.

8
sys/netinet6/ah_input.c
View File

@ -494,9 +494,9 @@ ah4_input(m, off)
goto fail; goto fail;
} }
m_adj(n, stripsiz); m_adj(n, stripsiz);
m_cat(m, n);
/* m_cat does not update m_pkthdr.len */ /* m_cat does not update m_pkthdr.len */
m->m_pkthdr.len += n->m_pkthdr.len; m->m_pkthdr.len += n->m_pkthdr.len;
m_cat(m, n);
} }
#endif #endif
@ -803,10 +803,6 @@ ah6_input(mp, offp, proto)
flowinfo = ip6->ip6_flow; flowinfo = ip6->ip6_flow;
m_adj(m, off + stripsiz); m_adj(m, off + stripsiz);
if (m->m_len < sizeof(*ip6)) { if (m->m_len < sizeof(*ip6)) {
/*
* m_pullup is prohibited in KAME IPv6 input processing
* but there's no other way!
*/
m = m_pullup(m, sizeof(*ip6)); m = m_pullup(m, sizeof(*ip6));
if (!m) { if (!m) {
ipsec6stat.in_inval++; ipsec6stat.in_inval++;
@ -899,9 +895,9 @@ ah6_input(mp, offp, proto)
goto fail; goto fail;
} }
m_adj(n, stripsiz); m_adj(n, stripsiz);
m_cat(m, n);
/* m_cat does not update m_pkthdr.len */ /* m_cat does not update m_pkthdr.len */
m->m_pkthdr.len += n->m_pkthdr.len; m->m_pkthdr.len += n->m_pkthdr.len;
m_cat(m, n);
} }
#endif #endif
ip6 = mtod(m, struct ip6_hdr *); ip6 = mtod(m, struct ip6_hdr *);

10
sys/netinet6/esp_core.c
View File

@ -551,7 +551,7 @@ esp_3des_schedule(algo, sav)
int error; int error;
des_key_schedule *p; des_key_schedule *p;
int i; int i;
char *k; u_int8_t *k;
p = (des_key_schedule *)sav->sched; p = (des_key_schedule *)sav->sched;
k = _KEYBUF(sav->key_enc); k = _KEYBUF(sav->key_enc);
@ -673,7 +673,7 @@ esp_cbc_decrypt(m, off, sav, algo, ivlen)
} }
/* grab iv */ /* grab iv */
m_copydata(m, ivoff, ivlen, iv); m_copydata(m, ivoff, ivlen, (caddr_t)iv);
/* extend iv */ /* extend iv */
if (ivlen == blocklen) if (ivlen == blocklen)
@ -878,11 +878,11 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
/* put iv into the packet. if we are in derived mode, use seqno. */ /* put iv into the packet. if we are in derived mode, use seqno. */
if (derived) if (derived)
m_copydata(m, ivoff, ivlen, iv); m_copydata(m, ivoff, ivlen, (caddr_t)iv);
else { else {
bcopy(sav->iv, iv, ivlen); bcopy(sav->iv, iv, ivlen);
/* maybe it is better to overwrite dest, not source */ /* maybe it is better to overwrite dest, not source */
m_copyback(m, ivoff, ivlen, iv); m_copyback(m, ivoff, ivlen, (caddr_t)iv);
} }
/* extend iv */ /* extend iv */
@ -945,7 +945,7 @@ esp_cbc_encrypt(m, off, plen, sav, algo, ivlen)
sp = mtod(s, u_int8_t *) + sn; sp = mtod(s, u_int8_t *) + sn;
} else { } else {
/* body is non-continuous */ /* body is non-continuous */
m_copydata(s, sn, blocklen, sbuf); m_copydata(s, sn, blocklen, (caddr_t)sbuf);
sp = sbuf; sp = sbuf;
} }

14
sys/netinet6/esp_input.c
View File

@ -116,7 +116,6 @@ esp4_input(m, off)
int ivlen; int ivlen;
size_t hlen; size_t hlen;
size_t esplen; size_t esplen;
int proto;
/* sanity check for alignment. */ /* sanity check for alignment. */
if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) {
@ -137,7 +136,6 @@ esp4_input(m, off)
} }
ip = mtod(m, struct ip *); ip = mtod(m, struct ip *);
proto = ip->ip_p;
esp = (struct esp *)(((u_int8_t *)ip) + off); esp = (struct esp *)(((u_int8_t *)ip) + off);
#ifdef _IP_VHL #ifdef _IP_VHL
hlen = IP_VHL_HL(ip->ip_vhl) << 2; hlen = IP_VHL_HL(ip->ip_vhl) << 2;
@ -208,8 +206,8 @@ esp4_input(m, off)
/* check ICV */ /* check ICV */
{ {
u_char sum0[AH_MAXSUMSIZE]; u_int8_t sum0[AH_MAXSUMSIZE];
u_char sum[AH_MAXSUMSIZE]; u_int8_t sum[AH_MAXSUMSIZE];
const struct ah_algorithm *sumalgo; const struct ah_algorithm *sumalgo;
size_t siz; size_t siz;
@ -229,7 +227,7 @@ esp4_input(m, off)
goto bad; goto bad;
} }
m_copydata(m, m->m_pkthdr.len - siz, siz, &sum0[0]); m_copydata(m, m->m_pkthdr.len - siz, siz, (caddr_t)&sum0[0]);
if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) { if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n", ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n",
@ -590,7 +588,7 @@ esp6_input(mp, offp, proto)
goto bad; goto bad;
} }
m_copydata(m, m->m_pkthdr.len - siz, siz, &sum0[0]); m_copydata(m, m->m_pkthdr.len - siz, siz, (caddr_t)&sum0[0]);
if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) { if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n", ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n",
@ -761,7 +759,7 @@ noreplaycheck:
* we can always compute checksum for AH correctly. * we can always compute checksum for AH correctly.
*/ */
size_t stripsiz; size_t stripsiz;
char *prvnxtp; u_int8_t *prvnxtp;
/* /*
* Set the next header field of the previous header correctly. * Set the next header field of the previous header correctly.
@ -790,9 +788,9 @@ noreplaycheck:
goto bad; goto bad;
} }
m_adj(n, stripsiz); m_adj(n, stripsiz);
m_cat(m, n);
/* m_cat does not update m_pkthdr.len */ /* m_cat does not update m_pkthdr.len */
m->m_pkthdr.len += n->m_pkthdr.len; m->m_pkthdr.len += n->m_pkthdr.len;
m_cat(m, n);
} }
#ifndef PULLDOWN_TEST #ifndef PULLDOWN_TEST