Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Jul 2023 19:01:30 GMT
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: bc310a95c58a - main - ip output: ensure that mbufs are mapped if ipsec is enabled
Message-ID:  <202307211901.36LJ1UKr055398@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=bc310a95c58a3c570ed7e5103371453881e36ba1

commit bc310a95c58a3c570ed7e5103371453881e36ba1
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-07-20 12:08:24 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-07-21 18:51:13 +0000

    ip output: ensure that mbufs are mapped if ipsec is enabled
    
    Ipsec needs access to packet headers to determine if a policy is
    applicable. It seems that typically IP headers are mapped, but the code
    is arguably needs to check this before blindly accessing them. Then,
    operations like m_unshare() and m_makespace() are not yet ready for
    unmapped mbufs.
    
    Ensure that the packet is mapped before calling into IPSEC_OUTPUT().
    
    PR:     272616
    Reviewed by:    jhb, markj
    Sponsored by:   NVidia networking
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D41112
---
 sys/netinet/ip_output.c   | 6 ++++++
 sys/netinet6/ip6_output.c | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 1976ab9803af..3f30c63cdc87 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -671,6 +671,12 @@ again:
 sendit:
 #if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	if (IPSEC_ENABLED(ipv4)) {
+		m = mb_unmapped_to_ext(m);
+		if (m == NULL) {
+			IPSTAT_INC(ips_odropped);
+			error = ENOBUFS;
+			goto bad;
+		}
 		if ((error = IPSEC_OUTPUT(ipv4, m, inp)) != 0) {
 			if (error == EINPROGRESS)
 				error = 0;
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 59ac04842854..7e3c98270cc2 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -461,6 +461,12 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
 	 * XXX: need scope argument.
 	 */
 	if (IPSEC_ENABLED(ipv6)) {
+		m = mb_unmapped_to_ext(m);
+		if (m == NULL) {
+			IP6STAT_INC(ip6s_odropped);
+			error = ENOBUFS;
+			goto bad;
+		}
 		if ((error = IPSEC_OUTPUT(ipv6, m, inp)) != 0) {
 			if (error == EINPROGRESS)
 				error = 0;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202307211901.36LJ1UKr055398>