Date: Mon, 29 May 2017 09:30:38 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r319118 - head/sys/netipsec Message-ID: <201705290930.v4T9Uccx007189@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Mon May 29 09:30:38 2017 New Revision: 319118 URL: https://svnweb.freebsd.org/changeset/base/319118 Log: Disable IPsec debugging code by default when IPSEC_DEBUG kernel option is not specified. Due to the long call chain IPsec code can produce the kernel stack exhaustion on the i386 architecture. The debugging code usually is not used, but it requires a lot of stack space to keep buffers for strings formatting. This patch conditionally defines macros to disable building of IPsec debugging code. IPsec currently has two sysctl variables to configure debug output: * net.key.debug variable is used to enable debug output for PF_KEY protocol. Such debug messages are produced by KEYDBG() macro and usually they can be interesting for developers. * net.inet.ipsec.debug variable is used to enable debug output for DPRINTF() macro and ipseclog() function. DPRINTF() macro usually is used for development debugging. ipseclog() function is used for debugging by administrator. The patch disables KEYDBG() and DPRINTF() macros, and formatting buffers declarations when IPSEC_DEBUG is not present in kernel config. This reduces stack requirement for up to several hundreds of bytes. The net.inet.ipsec.debug variable still can be used to enable ipseclog() messages by administrator. PR: 219476 Reported by: eugen No objection from: #network MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D10869 Modified: head/sys/netipsec/ipsec.h head/sys/netipsec/ipsec_input.c head/sys/netipsec/ipsec_output.c head/sys/netipsec/key_debug.h head/sys/netipsec/xform_ah.c head/sys/netipsec/xform_esp.c head/sys/netipsec/xform_ipcomp.c Modified: head/sys/netipsec/ipsec.h ============================================================================== --- head/sys/netipsec/ipsec.h Mon May 29 09:22:53 2017 (r319117) +++ head/sys/netipsec/ipsec.h Mon May 29 09:30:38 2017 (r319118) @@ -299,7 +299,13 @@ VNET_DECLARE(int, natt_cksum_policy); #define ipseclog(x) do { if (V_ipsec_debug) log x; } while (0) /* for openbsd compatibility */ +#ifdef IPSEC_DEBUG +#define IPSEC_DEBUG_DECLARE(x) x #define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0) +#else +#define IPSEC_DEBUG_DECLARE(x) +#define DPRINTF(x) +#endif struct inpcb; struct m_tag; Modified: head/sys/netipsec/ipsec_input.c ============================================================================== --- head/sys/netipsec/ipsec_input.c Mon May 29 09:22:53 2017 (r319117) +++ head/sys/netipsec/ipsec_input.c Mon May 29 09:30:38 2017 (r319118) @@ -117,7 +117,7 @@ __FBSDID("$FreeBSD$"); static int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); union sockaddr_union dst_address; struct secasvar *sav; uint32_t spi; @@ -277,7 +277,7 @@ int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); struct ipsec_ctx_data ctx; struct xform_history *xh; struct secasindex *saidx; @@ -488,7 +488,7 @@ int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); struct ipsec_ctx_data ctx; struct xform_history *xh; struct secasindex *saidx; Modified: head/sys/netipsec/ipsec_output.c ============================================================================== --- head/sys/netipsec/ipsec_output.c Mon May 29 09:22:53 2017 (r319117) +++ head/sys/netipsec/ipsec_output.c Mon May 29 09:30:38 2017 (r319118) @@ -183,7 +183,6 @@ next: static int ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx) { - char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; struct ipsec_ctx_data ctx; union sockaddr_union *dst; struct secasvar *sav; @@ -230,12 +229,9 @@ ipsec4_perform_request(struct mbuf *m, s ip->ip_sum = in_cksum(m, ip->ip_hl << 2); error = ipsec_encap(&m, &sav->sah->saidx); if (error != 0) { - DPRINTF(("%s: encapsulation for SA %s->%s " - "SPI 0x%08x failed with error %d\n", __func__, - ipsec_address(&sav->sah->saidx.src, sbuf, - sizeof(sbuf)), - ipsec_address(&sav->sah->saidx.dst, dbuf, - sizeof(dbuf)), ntohl(sav->spi), error)); + DPRINTF(("%s: encapsulation for SPI 0x%08x failed " + "with error %d\n", __func__, ntohl(sav->spi), + error)); /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ goto bad; } @@ -497,7 +493,6 @@ next: static int ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, u_int idx) { - char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; struct ipsec_ctx_data ctx; union sockaddr_union *dst; struct secasvar *sav; @@ -539,12 +534,9 @@ ipsec6_perform_request(struct mbuf *m, s } error = ipsec_encap(&m, &sav->sah->saidx); if (error != 0) { - DPRINTF(("%s: encapsulation for SA %s->%s " - "SPI 0x%08x failed with error %d\n", __func__, - ipsec_address(&sav->sah->saidx.src, sbuf, - sizeof(sbuf)), - ipsec_address(&sav->sah->saidx.dst, dbuf, - sizeof(dbuf)), ntohl(sav->spi), error)); + DPRINTF(("%s: encapsulation for SPI 0x%08x failed " + "with error %d\n", __func__, ntohl(sav->spi), + error)); /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ goto bad; } Modified: head/sys/netipsec/key_debug.h ============================================================================== --- head/sys/netipsec/key_debug.h Mon May 29 09:22:53 2017 (r319117) +++ head/sys/netipsec/key_debug.h Mon May 29 09:30:38 2017 (r319118) @@ -53,10 +53,14 @@ #define KEYDEBUG_IPSEC_DATA (KEYDEBUG_IPSEC | KEYDEBUG_DATA) #define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP) +#ifdef IPSEC_DEBUG #define KEYDBG(lev, arg) \ if ((V_key_debug_level & (KEYDEBUG_ ## lev)) == (KEYDEBUG_ ## lev)) { \ arg; \ } +#else +#define KEYDBG(lev, arg) +#endif /* !IPSEC_DEBUG */ VNET_DECLARE(uint32_t, key_debug_level); #define V_key_debug_level VNET(key_debug_level) Modified: head/sys/netipsec/xform_ah.c ============================================================================== --- head/sys/netipsec/xform_ah.c Mon May 29 09:22:53 2017 (r319117) +++ head/sys/netipsec/xform_ah.c Mon May 29 09:30:38 2017 (r319118) @@ -544,7 +544,7 @@ ah_massage_headers(struct mbuf **m0, int static int ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - char buf[128]; + IPSEC_DEBUG_DECLARE(char buf[128]); const struct auth_hash *ahx; struct cryptodesc *crda; struct cryptop *crp; @@ -681,7 +681,7 @@ bad: static int ah_input_cb(struct cryptop *crp) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); unsigned char calc[AH_ALEN_MAX]; const struct auth_hash *ahx; struct mbuf *m; @@ -831,7 +831,7 @@ static int ah_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, u_int idx, int skip, int protoff) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); const struct auth_hash *ahx; struct cryptodesc *crda; struct xform_data *xd; Modified: head/sys/netipsec/xform_esp.c ============================================================================== --- head/sys/netipsec/xform_esp.c Mon May 29 09:22:53 2017 (r319117) +++ head/sys/netipsec/xform_esp.c Mon May 29 09:30:38 2017 (r319118) @@ -263,7 +263,7 @@ esp_zeroize(struct secasvar *sav) static int esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { - char buf[128]; + IPSEC_DEBUG_DECLARE(char buf[128]); const struct auth_hash *esph; const struct enc_xform *espx; struct xform_data *xd; @@ -436,7 +436,7 @@ bad: static int esp_input_cb(struct cryptop *crp) { - char buf[128]; + IPSEC_DEBUG_DECLARE(char buf[128]); u_int8_t lastthree[3], aalg[AH_HMAC_MAXHASHLEN]; const struct auth_hash *esph; const struct enc_xform *espx; @@ -622,7 +622,7 @@ static int esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, u_int idx, int skip, int protoff) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); struct cryptodesc *crde = NULL, *crda = NULL; struct cryptop *crp; const struct auth_hash *esph; Modified: head/sys/netipsec/xform_ipcomp.c ============================================================================== --- head/sys/netipsec/xform_ipcomp.c Mon May 29 09:22:53 2017 (r319117) +++ head/sys/netipsec/xform_ipcomp.c Mon May 29 09:30:38 2017 (r319118) @@ -271,7 +271,7 @@ bad: static int ipcomp_input_cb(struct cryptop *crp) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); struct cryptodesc *crd; struct xform_data *xd; struct mbuf *m; @@ -387,7 +387,7 @@ static int ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, u_int idx, int skip, int protoff) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); const struct comp_algo *ipcompx; struct cryptodesc *crdc; struct cryptop *crp; @@ -521,7 +521,7 @@ bad: static int ipcomp_output_cb(struct cryptop *crp) { - char buf[IPSEC_ADDRSTRLEN]; + IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); struct xform_data *xd; struct secpolicy *sp; struct secasvar *sav;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705290930.v4T9Uccx007189>