diff options
author | ae <ae@FreeBSD.org> | 2014-12-11 18:46:11 +0000 |
---|---|---|
committer | ae <ae@FreeBSD.org> | 2014-12-11 18:46:11 +0000 |
commit | 19098cfc000302127817a432ec0b8dae4f9094c7 (patch) | |
tree | a87f109571c249b9ec85b501ad331afa3c15900a /sys/netipsec | |
parent | 3f424f0f2497015a7bf1d78ce076540af92b801e (diff) | |
download | FreeBSD-src-19098cfc000302127817a432ec0b8dae4f9094c7.zip FreeBSD-src-19098cfc000302127817a432ec0b8dae4f9094c7.tar.gz |
Treat errors when retrieving security policy as policy violation.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ipsec.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 5db156a..5e0cdbf 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -1265,6 +1265,9 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) return (0); /* Valid. */ } +/* + * Non zero return value means security policy DISCARD or policy violation. + */ static int ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) { @@ -1284,8 +1287,7 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) result = ipsec_in_reject(sp, m); KEY_FREESP(&sp); } else { - result = 0; /* XXX Should be panic? - * -> No, there may be error. */ + result = 1; /* treat errors as policy violation */ } return (result); } |