FreeBSD Mail Archives

Date:      Thu, 11 Dec 2014 18:46:12 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r275712 - head/sys/netipsec
Message-ID:  <201412111846.sBBIkCnb002843@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: ae
Date: Thu Dec 11 18:46:11 2014
New Revision: 275712
URL: https://svnweb.freebsd.org/changeset/base/275712

Log:
  Treat errors when retrieving security policy as policy violation.
  
  Obtained from:	Yandex LLC
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netipsec/ipsec.c

Modified: head/sys/netipsec/ipsec.c
==============================================================================
--- head/sys/netipsec/ipsec.c	Thu Dec 11 18:40:56 2014	(r275711)
+++ head/sys/netipsec/ipsec.c	Thu Dec 11 18:46:11 2014	(r275712)
@@ -1265,6 +1265,9 @@ ipsec_in_reject(struct secpolicy *sp, st
 	return (0);		/* Valid. */
 }
 
+/*
+ * Non zero return value means security policy DISCARD or policy violation.
+ */
 static int
 ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
 {
@@ -1284,8 +1287,7 @@ ipsec46_in_reject(struct mbuf *m, struct
 		result = ipsec_in_reject(sp, m);
 		KEY_FREESP(&sp);
 	} else {
-		result = 0;	/* XXX Should be panic?
-				 * -> No, there may be error. */
+		result = 1;	/* treat errors as policy violation */
 	}
 	return (result);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412111846.sBBIkCnb002843>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation