summaryrefslogtreecommitdiffstats
path: root/sys/netinet/udp_usrreq.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/udp_usrreq.c')
-rw-r--r--sys/netinet/udp_usrreq.c33
1 files changed, 29 insertions, 4 deletions
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index b93e99e..37d15d0 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -36,6 +36,7 @@
#include "opt_ipsec.h"
#include "opt_inet6.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -43,6 +44,7 @@
#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/proc.h>
@@ -166,6 +168,9 @@ udp_input(m, off)
int len;
struct ip save_ip;
struct sockaddr *append_sa;
+#ifdef MAC
+ int error;
+#endif
udpstat.udps_ipackets++;
@@ -303,18 +308,29 @@ udp_input(m, off)
if (last != NULL) {
struct mbuf *n;
+ int policyfail;
+ policyfail = 0;
#ifdef IPSEC
/* check AH/ESP integrity. */
- if (ipsec4_in_reject_so(m, last->inp_socket))
+ if (ipsec4_in_reject_so(m, last->inp_socket)) {
ipsecstat.in_polvio++;
+ policyfail = 1;
/* do not inject data to pcb */
- else
+ }
#endif /*IPSEC*/
- if ((n = m_copy(m, 0, M_COPYALL)) != NULL)
- udp_append(last, ip, n,
+#ifdef MAC
+ if (mac_check_socket_receive(last->inp_socket,
+ m) != 0)
+ policyfail = 1;
+#endif
+ if (!policyfail) {
+ if ((n = m_copy(m, 0, M_COPYALL))
+ != NULL)
+ udp_append(last, ip, n,
iphlen +
sizeof(struct udphdr));
+ }
INP_UNLOCK(last);
}
last = inp;
@@ -389,6 +405,11 @@ udp_input(m, off)
goto bad;
}
#endif /*IPSEC*/
+#ifdef MAC
+ error = mac_check_socket_receive(inp->inp_socket, m);
+ if (error)
+ goto bad;
+#endif
/*
* Construct sockaddr format source address.
@@ -718,6 +739,10 @@ udp_output(inp, m, addr, control, td)
struct sockaddr_in *sin;
int s = 0, error = 0;
+#ifdef MAC
+ mac_create_mbuf_from_socket(inp->inp_socket, m);
+#endif
+
if (control)
m_freem(control); /* XXX */
OpenPOWER on IntegriCloud