From owner-svn-src-projects@freebsd.org  Wed Nov 23 08:06:18 2016
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87A66C50F22
 for <svn-src-projects@mailman.ysv.freebsd.org>;
 Wed, 23 Nov 2016 08:06:18 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4906EB67;
 Wed, 23 Nov 2016 08:06:18 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAN86Hr4012760;
 Wed, 23 Nov 2016 08:06:17 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAN86HDb012759;
 Wed, 23 Nov 2016 08:06:17 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201611230806.uAN86HDb012759@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Wed, 23 Nov 2016 08:06:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r309036 - projects/ipsec/sys/netipsec
X-SVN-Group: projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 08:06:18 -0000

Author: ae
Date: Wed Nov 23 08:06:17 2016
New Revision: 309036
URL: https://svnweb.freebsd.org/changeset/base/309036

Log:
  Update key_delete() to reflect changes in SADB and use more accurate
  sanity checks.

Modified:
  projects/ipsec/sys/netipsec/key.c

Modified: projects/ipsec/sys/netipsec/key.c
==============================================================================
--- projects/ipsec/sys/netipsec/key.c	Wed Nov 23 07:57:52 2016	(r309035)
+++ projects/ipsec/sys/netipsec/key.c	Wed Nov 23 08:06:17 2016	(r309036)
@@ -5221,12 +5221,11 @@ key_getmsgbuf_x1(struct mbuf *m, const s
 static int
 key_delete(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 {
-	struct sadb_sa *sa0;
-	struct sadb_address *src0, *dst0;
 	struct secasindex saidx;
-	struct secashead *sah;
-	struct secasvar *sav = NULL;
-	u_int16_t proto;
+	struct sadb_address *src0, *dst0;
+	struct secasvar *sav;
+	struct sadb_sa *sa0;
+	uint8_t proto;
 
 	IPSEC_ASSERT(so != NULL, ("null socket"));
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -5236,45 +5235,28 @@ key_delete(struct socket *so, struct mbu
 	/* map satype to proto */
 	if ((proto = key_satype2proto(mhp->msg->sadb_msg_satype)) == 0) {
 		ipseclog((LOG_DEBUG, "%s: invalid satype is passed.\n",
-			__func__));
-		return key_senderror(so, m, EINVAL);
-	}
-
-	if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
-	    mhp->ext[SADB_EXT_ADDRESS_DST] == NULL) {
-		ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
-			__func__));
-		return key_senderror(so, m, EINVAL);
-	}
-
-	if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
-	    mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address)) {
-		ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
-			__func__));
+		    __func__));
 		return key_senderror(so, m, EINVAL);
 	}
 
-	if (mhp->ext[SADB_EXT_SA] == NULL) {
-		/*
-		 * Caller wants us to delete all non-LARVAL SAs
-		 * that match the src/dst.  This is used during
-		 * IKE INITIAL-CONTACT.
-		 */
-		ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__));
-		return key_delete_all(so, m, mhp, proto);
-	} else if (mhp->extlen[SADB_EXT_SA] < sizeof(struct sadb_sa)) {
+	if (SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_SRC) ||
+	    SADB_CHECKHDR(mhp, SADB_EXT_ADDRESS_DST) ||
+	    SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_SRC) ||
+	    SADB_CHECKLEN(mhp, SADB_EXT_ADDRESS_DST)) {
 		ipseclog((LOG_DEBUG, "%s: invalid message is passed.\n",
-			__func__));
+		    __func__));
 		return key_senderror(so, m, EINVAL);
 	}
 
-	sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
 	src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]);
 	dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]);
 
-	/* XXX boundary check against sa_len */
+	if (key_checksockaddrs((struct sockaddr *)(src0 + 1),
+	    (struct sockaddr *)(dst0 + 1)) != 0) {
+		ipseclog((LOG_DEBUG, "%s: invalid sockaddr.\n", __func__));
+		return (key_senderror(so, m, EINVAL));
+	}
 	KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx);
-
 	/*
 	 * Make sure the port numbers are zero.
 	 * In case of NAT-T we will update them later if needed.
@@ -5282,57 +5264,39 @@ key_delete(struct socket *so, struct mbu
 	KEY_PORTTOSADDR(&saidx.src, 0);
 	KEY_PORTTOSADDR(&saidx.dst, 0);
 
-#ifdef IPSEC_NAT_T
-	/*
-	 * Handle NAT-T info if present.
-	 */
-	if (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL &&
-	    mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL) {
-		struct sadb_x_nat_t_port *sport, *dport;
-
-		if (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport) ||
-		    mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport)) {
-			ipseclog((LOG_DEBUG, "%s: invalid message.\n",
-			    __func__));
-			return key_senderror(so, m, EINVAL);
-		}
-
-		sport = (struct sadb_x_nat_t_port *)
-		    mhp->ext[SADB_X_EXT_NAT_T_SPORT];
-		dport = (struct sadb_x_nat_t_port *)
-		    mhp->ext[SADB_X_EXT_NAT_T_DPORT];
-
-		if (sport)
-			KEY_PORTTOSADDR(&saidx.src,
-			    sport->sadb_x_nat_t_port_port);
-		if (dport)
-			KEY_PORTTOSADDR(&saidx.dst,
-			    dport->sadb_x_nat_t_port_port);
-	}
-#endif
-
-	/* get a SA header */
-	SAHTREE_LOCK();
-	LIST_FOREACH(sah, &V_sahtree, chain) {
-		if (sah->state == SADB_SASTATE_DEAD)
-			continue;
-		if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0)
-			continue;
-
-		/* get a SA with SPI. */
-		sav = key_getsavbyspi(sah, sa0->sadb_sa_spi);
-		if (sav)
-			break;
+	if (SADB_CHECKHDR(mhp, SADB_EXT_SA)) {
+		/*
+		 * Caller wants us to delete all non-LARVAL SAs
+		 * that match the src/dst.  This is used during
+		 * IKE INITIAL-CONTACT.
+		 * XXXAE: this looks like some extension to RFC2367.
+		 */
+		ipseclog((LOG_DEBUG, "%s: doing delete all.\n", __func__));
+		return (key_delete_all(so, m, mhp, &saidx));
 	}
-	if (sah == NULL) {
-		SAHTREE_UNLOCK();
-		ipseclog((LOG_DEBUG, "%s: no SA found.\n", __func__));
-		return key_senderror(so, m, ENOENT);
+	if (SADB_CHECKLEN(mhp, SADB_EXT_SA)) {
+		ipseclog((LOG_DEBUG,
+		    "%s: invalid message: wrong header size.\n", __func__));
+		return (key_senderror(so, m, EINVAL));
 	}
-
-	key_sa_chgstate(sav, SADB_SASTATE_DEAD);
-	KEY_FREESAV(&sav);
-	SAHTREE_UNLOCK();
+	sa0 = (struct sadb_sa *)mhp->ext[SADB_EXT_SA];
+	sav = key_getsavbyspi(sa0->sadb_sa_spi);
+	if (sav == NULL) {
+		ipseclog((LOG_DEBUG, "%s: no SA found for SPI %u.\n",
+		    __func__, ntohl(sa0->sadb_sa_spi)));
+		return (key_senderror(so, m, ESRCH));
+	}
+	if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_HEAD) == 0) {
+		ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u.\n",
+		    __func__, ntohl(sav->spi)));
+		key_freesav(&sav);
+		return (key_senderror(so, m, ESRCH));
+	}
+	KEYDBG(KEY_STAMP,
+	    printf("%s: SA(%p)\n", __func__, sav));
+	KEYDBG(KEY_DATA, kdebug_secasv(sav));
+	key_unlinksav(sav);
+	key_freesav(&sav);
 
     {
 	struct mbuf *n;