diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 15:26:11 -0500 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 12:02:00 -0500 |
| commit | c10a06fdafd86efa4c2c4c262870f0d5276dd625 (patch) | |
| tree | fd8a5e95ac44286448b29ddb1b075f0ec71e1c07 /sys/netipsec/ipsec_output.c | |
| parent | 4ae8d18ecb266f2fb2c6734bb3297bc7651da103 (diff) | |
| download | FreeBSD-src-c10a06fdafd86efa4c2c4c262870f0d5276dd625.zip FreeBSD-src-c10a06fdafd86efa4c2c4c262870f0d5276dd625.tar.gz | |
MFC r281695:
Change ipsec_address() and ipsec_logsastr() functions to take two
additional arguments - buffer and size of this buffer.
ipsec_address() is used to convert sockaddr structure to presentation
format. The IPv6 part of this function returns pointer to the on-stack
buffer and at the moment when it will be used by caller, it becames
invalid. IPv4 version uses 4 static buffers and returns pointer to
new buffer each time when it called. But anyway it is still possible
to get corrupted data when several threads will use this function.
ipsec_logsastr() is used to format string about SA entry. It also
uses static buffer and has the same problem with concurrent threads.
To fix these problems add the buffer pointer and size of this
buffer to arguments. Now each caller will pass buffer and its size
to these functions. Also convert all places where these functions
are used (except disabled code).
And now ipsec_address() uses inet_ntop() function from libkern.
PR: 185996
Differential Revision: https://reviews.freebsd.org/D2321
Reviewed by: gnn
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index dbce546..a201fb6 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -528,6 +528,7 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx) int ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr) { + char sbuf[INET6_ADDRSTRLEN], dbuf[INET6_ADDRSTRLEN]; union sockaddr_union *dst; struct secasindex saidx; struct secasvar *sav; @@ -578,9 +579,10 @@ ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr) if (error != 0) { DPRINTF(("%s: encapsulation for SA %s->%s " "SPI 0x%08x failed with error %d\n", __func__, - ipsec_address(&sav->sah->saidx.src), - ipsec_address(&sav->sah->saidx.dst), - ntohl(sav->spi), error)); + ipsec_address(&sav->sah->saidx.src, sbuf, + sizeof(sbuf)), + ipsec_address(&sav->sah->saidx.dst, dbuf, + sizeof(dbuf)), ntohl(sav->spi), error)); goto bad; } } @@ -649,11 +651,9 @@ in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, const struct in6_addr * IPsec output logic for IPv6. */ int -ipsec6_process_packet( - struct mbuf *m, - struct ipsecrequest *isr - ) +ipsec6_process_packet(struct mbuf *m, struct ipsecrequest *isr) { + char sbuf[INET6_ADDRSTRLEN], dbuf[INET6_ADDRSTRLEN]; struct secasindex saidx; struct secasvar *sav; struct ip6_hdr *ip6; @@ -703,9 +703,10 @@ ipsec6_process_packet( if (error != 0) { DPRINTF(("%s: encapsulation for SA %s->%s " "SPI 0x%08x failed with error %d\n", __func__, - ipsec_address(&sav->sah->saidx.src), - ipsec_address(&sav->sah->saidx.dst), - ntohl(sav->spi), error)); + ipsec_address(&sav->sah->saidx.src, sbuf, + sizeof(sbuf)), + ipsec_address(&sav->sah->saidx.dst, dbuf, + sizeof(dbuf)), ntohl(sav->spi), error)); goto bad; } } |
