diff options
| author | ae <ae@FreeBSD.org> | 2017-06-05 11:11:07 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2017-06-05 11:11:07 +0000 |
| commit | 0aa410ec335e93e803d3c3a87102451332e3f663 (patch) | |
| tree | 774101966b22ab701503cc448687b1236d213e53 /sys/netipsec/xform_ipcomp.c | |
| parent | ee1a67d0e0db96ec13eb065a8b2ffb148c5c12db (diff) | |
| download | FreeBSD-src-0aa410ec335e93e803d3c3a87102451332e3f663.zip FreeBSD-src-0aa410ec335e93e803d3c3a87102451332e3f663.tar.gz | |
MFC r319118:
Disable IPsec debugging code by default when IPSEC_DEBUG kernel option
is not specified.
Due to the long call chain IPsec code can produce the kernel stack
exhaustion on the i386 architecture. The debugging code usually is not
used, but it requires a lot of stack space to keep buffers for strings
formatting. This patch conditionally defines macros to disable building
of IPsec debugging code.
IPsec currently has two sysctl variables to configure debug output:
* net.key.debug variable is used to enable debug output for PF_KEY
protocol. Such debug messages are produced by KEYDBG() macro and
usually they can be interesting for developers.
* net.inet.ipsec.debug variable is used to enable debug output for
DPRINTF() macro and ipseclog() function. DPRINTF() macro usually
is used for development debugging. ipseclog() function is used for
debugging by administrator.
The patch disables KEYDBG() and DPRINTF() macros, and formatting buffers
declarations when IPSEC_DEBUG is not present in kernel config. This
reduces stack requirement for up to several hundreds of bytes.
The net.inet.ipsec.debug variable still can be used to enable ipseclog()
messages by administrator.
PR: 219476
MFC r319412:
Build kdebug_secreplay() function only when IPSEC_DEBUG is defined.
This should fix the build on sparc.
Approved by: re (kib)
Diffstat (limited to 'sys/netipsec/xform_ipcomp.c')
| -rw-r--r-- | sys/netipsec/xform_ipcomp.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 061937d..1e8fc59 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -271,7 +271,7 @@ bad: static int ipcomp_input_cb(struct cryptop *crp) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); struct cryptodesc *crd; struct xform_data *xd; struct mbuf *m; @@ -387,7 +387,7 @@ static int ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, u_int idx, int skip, int protoff) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); const struct comp_algo *ipcompx; struct cryptodesc *crdc; struct cryptop *crp; @@ -521,7 +521,7 @@ bad: static int ipcomp_output_cb(struct cryptop *crp) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); struct xform_data *xd; struct secpolicy *sp; struct secasvar *sav; |
