From 33dc72ec8c82736f5d5c2ab5c7e57aad0f4ba647 Mon Sep 17 00:00:00 2001
From: vanhu <vanhu@FreeBSD.org>
Date: Wed, 5 May 2010 08:55:26 +0000
Subject: Update SA's NAT-T stuff before calling key_mature() in key_update(),
 as SA may be used as soon as key_mature() has been called.

Obtained from:	NETASQ
MFC after: 1 week
---
 sys/netipsec/key.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'sys')

diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 5219768..7fc199a 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -5156,12 +5156,6 @@ key_update(so, m, mhp)
 		return key_senderror(so, m, error);
 	}
 
-	/* check SA values to be mature. */
-	if ((mhp->msg->sadb_msg_errno = key_mature(sav)) != 0) {
-		KEY_FREESAV(&sav);
-		return key_senderror(so, m, 0);
-	}
-
 #ifdef IPSEC_NAT_T
 	/*
 	 * Handle more NAT-T info if present,
@@ -5188,6 +5182,12 @@ key_update(so, m, mhp)
 #endif
 #endif
 
+	/* check SA values to be mature. */
+	if ((mhp->msg->sadb_msg_errno = key_mature(sav)) != 0) {
+		KEY_FREESAV(&sav);
+		return key_senderror(so, m, 0);
+	}
+
     {
 	struct mbuf *n;
 
-- 
cgit v1.1