Module Name: src Committed By: ryo Date: Thu May 11 05:55:14 UTC 2017
Modified Files: src/sys/netipsec: ipsec.c ipsec.h ipsec_input.c ipsec_output.c xform_ah.c xform_esp.c xform_ipcomp.c xform_ipip.c Log Message: Make ipsec_address() and ipsec_logsastr() mpsafe. To generate a diff of this commit: cvs rdiff -u -r1.87 -r1.88 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.46 -r1.47 src/sys/netipsec/ipsec.h \ src/sys/netipsec/ipsec_output.c cvs rdiff -u -r1.41 -r1.42 src/sys/netipsec/ipsec_input.c cvs rdiff -u -r1.53 -r1.54 src/sys/netipsec/xform_ah.c cvs rdiff -u -r1.54 -r1.55 src/sys/netipsec/xform_esp.c cvs rdiff -u -r1.37 -r1.38 src/sys/netipsec/xform_ipcomp.c cvs rdiff -u -r1.48 -r1.49 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.87 src/sys/netipsec/ipsec.c:1.88 --- src/sys/netipsec/ipsec.c:1.87 Wed May 10 09:34:52 2017 +++ src/sys/netipsec/ipsec.c Thu May 11 05:55:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.87 2017/05/10 09:34:52 ozaki-r Exp $ */ +/* $NetBSD: ipsec.c,v 1.88 2017/05/11 05:55:14 ryo Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.87 2017/05/10 09:34:52 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.88 2017/05/11 05:55:14 ryo Exp $"); /* * IPsec controller part. @@ -2101,6 +2101,7 @@ ipsec_updatereplay(u_int32_t seq, const int fr; u_int32_t wsizeb; /* constant: bits of window size */ int frlast; /* constant: last frame */ + char buf[INET6_ADDRSTRLEN]; IPSEC_SPLASSERT_SOFTNET(__func__); @@ -2177,7 +2178,7 @@ ok: return 1; ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n", - replay->overflow, ipsec_logsastr(sav))); + replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf)))); } replay->count++; @@ -2210,37 +2211,21 @@ vshiftl(unsigned char *bitmap, int nbit, return; } -/* Return a printable string for the IPv4 address. */ -static char * -inet_ntoa4(struct in_addr ina) -{ - static char buf[4][4 * sizeof "123" + 4]; - unsigned char *ucp = (unsigned char *) &ina; - static int i = 3; - - i = (i + 1) % 4; - snprintf(buf[i], sizeof(buf[i]), "%d.%d.%d.%d", - ucp[0] & 0xff, ucp[1] & 0xff, ucp[2] & 0xff, ucp[3] & 0xff); - return (buf[i]); -} - /* Return a printable string for the address. */ const char * -ipsec_address(const union sockaddr_union *sa) +ipsec_address(const union sockaddr_union *sa, char *buf, size_t size) { -#if INET6 - static char ip6buf[INET6_ADDRSTRLEN]; /* XXX: NOMPSAFE */ -#endif - switch (sa->sa.sa_family) { #if INET case AF_INET: - return inet_ntoa4(sa->sin.sin_addr); + in_print(buf, size, &sa->sin.sin_addr); + return buf; #endif /* INET */ #if INET6 case AF_INET6: - return IN6_PRINT(ip6buf, &sa->sin6.sin6_addr); + in6_print(buf, size, &sa->sin6.sin6_addr); + return buf; #endif /* INET6 */ default: @@ -2249,27 +2234,19 @@ ipsec_address(const union sockaddr_union } const char * -ipsec_logsastr(const struct secasvar *sav) +ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size) { - static char buf[256]; - char *p; const struct secasindex *saidx = &sav->sah->saidx; + char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family, "af family mismatch, src %u, dst %u", saidx->src.sa.sa_family, saidx->dst.sa.sa_family); - p = buf; - snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi)); - while (p && *p) - p++; - /* NB: only use ipsec_address on one address at a time */ - snprintf(p, sizeof (buf) - (p - buf), "src=%s ", - ipsec_address(&saidx->src)); - while (p && *p) - p++; - snprintf(p, sizeof (buf) - (p - buf), "dst=%s)", - ipsec_address(&saidx->dst)); + snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)", + (u_int32_t)ntohl(sav->spi), + ipsec_address(&saidx->src, sbuf, sizeof(sbuf)), + ipsec_address(&saidx->dst, dbuf, sizeof(dbuf))); return buf; } Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.46 src/sys/netipsec/ipsec.h:1.47 --- src/sys/netipsec/ipsec.h:1.46 Wed May 10 09:34:52 2017 +++ src/sys/netipsec/ipsec.h Thu May 11 05:55:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.46 2017/05/10 09:34:52 ozaki-r Exp $ */ +/* $NetBSD: ipsec.h,v 1.47 2017/05/11 05:55:14 ryo Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -149,6 +149,11 @@ struct secspacq { }; #endif /* _KERNEL */ +/* buffer size for formatted output of ipsec address (addr + '%' + scope_id?) */ +#define IPSEC_ADDRSTRLEN (INET6_ADDRSTRLEN + 11) +/* buffer size for ipsec_logsastr() */ +#define IPSEC_LOGSASTRLEN 192 + /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */ #define IPSEC_PORT_ANY 0 #define IPSEC_ULPROTO_ANY 255 @@ -307,8 +312,8 @@ size_t ipsec4_hdrsiz_tcp (struct tcpcb * #define ipsec4_getpolicybyaddr ipsec_getpolicybyaddr union sockaddr_union; -const char *ipsec_address(const union sockaddr_union* sa); -const char *ipsec_logsastr (const struct secasvar *); +const char *ipsec_address(const union sockaddr_union* sa, char *, size_t); +const char *ipsec_logsastr(const struct secasvar *, char *, size_t); void ipsec_dumpmbuf (struct mbuf *); Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.46 src/sys/netipsec/ipsec_output.c:1.47 --- src/sys/netipsec/ipsec_output.c:1.46 Mon May 8 06:39:23 2017 +++ src/sys/netipsec/ipsec_output.c Thu May 11 05:55:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_output.c,v 1.46 2017/05/08 06:39:23 ozaki-r Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.47 2017/05/11 05:55:14 ryo Exp $ */ /*- * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -29,7 +29,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.46 2017/05/08 06:39:23 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.47 2017/05/11 05:55:14 ryo Exp $"); /* * IPsec output processing. @@ -177,10 +177,11 @@ ipsec_process_done(struct mbuf *m, struc mo = m_makespace(m, sizeof(struct ip), hlen, &roff); if (mo == NULL) { - DPRINTF(("ipsec_process_done : failed to inject" - "%u byte UDP for SA %s/%08lx\n", - hlen, ipsec_address(&saidx->dst), - (u_long) ntohl(sav->spi))); + char buf[IPSEC_ADDRSTRLEN]; + DPRINTF(("ipsec_process_done : failed to inject" + "%u byte UDP for SA %s/%08lx\n", + hlen, ipsec_address(&saidx->dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.41 src/sys/netipsec/ipsec_input.c:1.42 --- src/sys/netipsec/ipsec_input.c:1.41 Wed Apr 19 03:39:14 2017 +++ src/sys/netipsec/ipsec_input.c Thu May 11 05:55:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.41 2017/04/19 03:39:14 ozaki-r Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.42 2017/05/11 05:55:14 ryo Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.41 2017/04/19 03:39:14 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.42 2017/05/11 05:55:14 ryo Exp $"); /* * IPsec input processing. @@ -122,6 +122,7 @@ do { \ static int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { + char buf[IPSEC_ADDRSTRLEN]; union sockaddr_union dst_address; struct secasvar *sav; u_int32_t spi; @@ -213,7 +214,7 @@ ipsec_common_input(struct mbuf *m, int s if (sav == NULL) { DPRINTF(("ipsec_common_input: no key association found for" " SA %s/%08lx/%u/%u\n", - ipsec_address(&dst_address), + ipsec_address(&dst_address, buf, sizeof(buf)), (u_long) ntohl(spi), sproto, ntohs(dport))); IPSEC_ISTAT(sproto, ESP_STAT_NOTDB, AH_STAT_NOTDB, IPCOMP_STAT_NOTDB); @@ -225,7 +226,7 @@ ipsec_common_input(struct mbuf *m, int s if (sav->tdb_xform == NULL) { DPRINTF(("ipsec_common_input: attempted to use uninitialized" " SA %s/%08lx/%u\n", - ipsec_address(&dst_address), + ipsec_address(&dst_address, buf, sizeof(buf)), (u_long) ntohl(spi), sproto)); IPSEC_ISTAT(sproto, ESP_STAT_NOXFORM, AH_STAT_NOXFORM, IPCOMP_STAT_NOXFORM); @@ -305,9 +306,10 @@ ipsec4_common_input_cb(struct mbuf *m, s /* Fix IPv4 header */ if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { + char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("ipsec4_common_input_cb: processing failed " "for SA %s/%08lx\n", - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS, IPCOMP_STAT_HDROPS); @@ -340,10 +342,11 @@ ipsec4_common_input_cb(struct mbuf *m, s (saidx->proxy.sa.sa_family != AF_INET && saidx->proxy.sa.sa_family != 0)) { + char ipbuf[INET_ADDRSTRLEN]; DPRINTF(("ipsec4_common_input_cb: inner " "source address %s doesn't correspond to " "expected proxy source %s, SA %s/%08lx\n", - inet_ntoa4(ipn.ip_src), + IN_PRINT(ipbuf, ipn.ip_src), ipsp_address(saidx->proxy), ipsp_address(saidx->dst), (u_long) ntohl(sav->spi))); @@ -377,12 +380,13 @@ ipsec4_common_input_cb(struct mbuf *m, s saidx->proxy.sa.sa_family != 0)) { char ip6buf[INET6_ADDRSTRLEN]; + char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; DPRINTF(("ipsec4_common_input_cb: inner " "source address %s doesn't correspond to " "expected proxy source %s, SA %s/%08lx\n", ip6_sprintf(ip6buf, &ip6n.ip6_src), - ipsec_address(&saidx->proxy), - ipsec_address(&saidx->dst), + ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)), + ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)), (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, @@ -537,9 +541,10 @@ ipsec6_common_input_cb(struct mbuf *m, s if (m->m_len < sizeof(struct ip6_hdr) && (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { + char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("ipsec6_common_input_cb: processing failed " - "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst, + buf, sizeof(buf)), (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS, IPCOMP_STAT_HDROPS); @@ -572,12 +577,14 @@ ipsec6_common_input_cb(struct mbuf *m, s (saidx->proxy.sa.sa_family != AF_INET && saidx->proxy.sa.sa_family != 0)) { + char ipbuf[INET_ADDRSTRLEN]; + char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; DPRINTF(("ipsec6_common_input_cb: inner " "source address %s doesn't correspond to " "expected proxy source %s, SA %s/%08lx\n", - inet_ntoa4(ipn.ip_src), - ipsec_address(&saidx->proxy), - ipsec_address(&saidx->dst), + IN_PRINT(ipbuf, ipn.ip_src), + ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)), + ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)), (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, @@ -609,12 +616,13 @@ ipsec6_common_input_cb(struct mbuf *m, s saidx->proxy.sa.sa_family != 0)) { char ip6buf[INET6_ADDRSTRLEN]; + char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; DPRINTF(("ipsec6_common_input_cb: inner " "source address %s doesn't correspond to " "expected proxy source %s, SA %s/%08lx\n", ip6_sprintf(ip6buf, &ip6n.ip6_src), - ipsec_address(&saidx->proxy), - ipsec_address(&saidx->dst), + ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)), + ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)), (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, Index: src/sys/netipsec/xform_ah.c diff -u src/sys/netipsec/xform_ah.c:1.53 src/sys/netipsec/xform_ah.c:1.54 --- src/sys/netipsec/xform_ah.c:1.53 Wed Apr 19 03:39:14 2017 +++ src/sys/netipsec/xform_ah.c Thu May 11 05:55:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ah.c,v 1.53 2017/04/19 03:39:14 ozaki-r Exp $ */ +/* $NetBSD: xform_ah.c,v 1.54 2017/05/11 05:55:14 ryo Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */ /* @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.53 2017/04/19 03:39:14 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.54 2017/05/11 05:55:14 ryo Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -643,9 +643,10 @@ ah_input(struct mbuf *m, const struct se /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { + char buf[IPSEC_LOGSASTRLEN]; AH_STATINC(AH_STAT_REPLAY); DPRINTF(("%s: packet replay failure: %s\n", __func__, - ipsec_logsastr(sav))); + ipsec_logsastr(sav, buf, sizeof(buf)))); m_freem(m); return ENOBUFS; } @@ -655,10 +656,11 @@ ah_input(struct mbuf *m, const struct se ahx = sav->tdb_authalgxform; authsize = AUTHSIZE(sav); if (hl != authsize + rplen - sizeof(struct ah)) { + char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("%s: bad authenticator length %u (expecting %lu)" " for packet in SA %s/%08lx\n", __func__, hl, (u_long) (authsize + rplen - sizeof(struct ah)), - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_BADAUTHL); m_freem(m); @@ -793,6 +795,7 @@ ah_input(struct mbuf *m, const struct se static int ah_input_cb(struct cryptop *crp) { + char buf[IPSEC_ADDRSTRLEN]; int rplen, error, skip, protoff; unsigned char calc[AH_ALEN_MAX]; struct mbuf *m; @@ -889,7 +892,7 @@ ah_input_cb(struct cryptop *crp) "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x, " \ "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x\n", __func__, authsize, - ipsec_address(&saidx->dst), + ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi), calc[0], calc[1], calc[2], calc[3], calc[4], calc[5], calc[6], calc[7], @@ -941,7 +944,8 @@ ah_input_cb(struct cryptop *crp) error = m_striphdr(m, skip, rplen + authsize); if (error) { DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, - ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); + ipsec_address(&saidx->dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_HDROPS); goto bad; @@ -979,6 +983,7 @@ ah_output( int protoff ) { + char buf[IPSEC_ADDRSTRLEN]; const struct secasvar *sav; const struct auth_hash *ahx; struct cryptodesc *crda; @@ -1021,7 +1026,7 @@ ah_output( DPRINTF(("%s: unknown/unsupported protocol " "family %u, SA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_NOPF); error = EPFNOSUPPORT; @@ -1031,7 +1036,7 @@ ah_output( if (rplen + authsize + m->m_pkthdr.len > maxpacketsize) { DPRINTF(("%s: packet in SA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi), rplen + authsize + m->m_pkthdr.len, maxpacketsize)); AH_STATINC(AH_STAT_TOOBIG); @@ -1045,7 +1050,7 @@ ah_output( m = m_clone(m); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_HDROPS); error = ENOBUFS; @@ -1058,7 +1063,7 @@ ah_output( DPRINTF(("%s: failed to inject %u byte AH header for SA " "%s/%08lx\n", __func__, rplen + authsize, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_HDROPS); /*XXX differs from openbsd */ error = ENOBUFS; @@ -1085,8 +1090,8 @@ ah_output( if (sav->replay->count == ~0 && (sav->flags & SADB_X_EXT_CYCSEQ) == 0) { DPRINTF(("%s: replay counter wrapped for SA %s/%08lx\n", - __func__, ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + __func__, ipsec_address(&sav->sah->saidx.dst, buf, + sizeof(buf)), (u_long) ntohl(sav->spi))); AH_STATINC(AH_STAT_WRAP); error = EINVAL; goto bad; Index: src/sys/netipsec/xform_esp.c diff -u src/sys/netipsec/xform_esp.c:1.54 src/sys/netipsec/xform_esp.c:1.55 --- src/sys/netipsec/xform_esp.c:1.54 Wed Apr 19 03:39:14 2017 +++ src/sys/netipsec/xform_esp.c Thu May 11 05:55:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_esp.c,v 1.54 2017/04/19 03:39:14 ozaki-r Exp $ */ +/* $NetBSD: xform_esp.c,v 1.55 2017/05/11 05:55:14 ryo Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.54 2017/04/19 03:39:14 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.55 2017/05/11 05:55:14 ryo Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -339,9 +339,10 @@ esp_input(struct mbuf *m, const struct s */ plen = m->m_pkthdr.len - (skip + hlen + alen); if ((plen & (espx->blocksize - 1)) || (plen <= 0)) { + char buf[IPSEC_ADDRSTRLEN]; DPRINTF(("%s: payload of %d octets not a multiple of %d octets," " SA %s/%08lx\n", __func__, plen, espx->blocksize, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_BADILEN); m_freem(m); @@ -352,8 +353,9 @@ esp_input(struct mbuf *m, const struct s * Check sequence number. */ if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { - DPRINTF(("%s: packet replay check for %s\n", - __func__, ipsec_logsastr(sav))); /*XXX*/ + char logbuf[IPSEC_LOGSASTRLEN]; + DPRINTF(("%s: packet replay check for %s\n", __func__, + ipsec_logsastr(sav, logbuf, sizeof(logbuf)))); /*XXX*/ ESP_STATINC(ESP_STAT_REPLAY); m_freem(m); return ENOBUFS; /*XXX*/ @@ -499,6 +501,7 @@ out: static int esp_input_cb(struct cryptop *crp) { + char buf[IPSEC_ADDRSTRLEN]; uint8_t lastthree[3], aalg[AH_ALEN_MAX]; int s, hlen, skip, protoff, error; struct mbuf *m; @@ -531,7 +534,7 @@ esp_input_cb(struct cryptop *crp) ESP_STATINC(ESP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto " "(SA %s/%08lx proto %u)\n", __func__, - ipsec_address(&tc->tc_dst), + ipsec_address(&tc->tc_dst, buf, sizeof(buf)), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); error = ENOBUFS; /*XXX*/ goto bad; @@ -591,8 +594,8 @@ esp_input_cb(struct cryptop *crp) if (!consttime_memequal(ptr, aalg, esph->authsize)) { DPRINTF(("%s: authentication hash mismatch " "for packet in SA %s/%08lx\n", __func__, - ipsec_address(&saidx->dst), - (u_long) ntohl(sav->spi))); + ipsec_address(&saidx->dst, buf, + sizeof(buf)), (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_BADAUTH); error = EACCES; goto bad; @@ -621,8 +624,9 @@ esp_input_cb(struct cryptop *crp) m_copydata(m, skip + offsetof(struct newesp, esp_seq), sizeof(seq), &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { + char logbuf[IPSEC_LOGSASTRLEN]; DPRINTF(("%s: packet replay check for %s\n", __func__, - ipsec_logsastr(sav))); + ipsec_logsastr(sav, logbuf, sizeof(logbuf)))); ESP_STATINC(ESP_STAT_REPLAY); error = ENOBUFS; goto bad; @@ -640,7 +644,7 @@ esp_input_cb(struct cryptop *crp) if (error) { ESP_STATINC(ESP_STAT_HDROPS); DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); goto bad; } @@ -654,7 +658,7 @@ esp_input_cb(struct cryptop *crp) DPRINTF(("%s: invalid padding length %d " "for %u byte packet in SA %s/%08lx\n", __func__, lastthree[1], m->m_pkthdr.len - skip, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; @@ -666,8 +670,8 @@ esp_input_cb(struct cryptop *crp) ESP_STATINC(ESP_STAT_BADENC); DPRINTF(("%s: decryption failed for packet in SA " "%s/%08lx\n", __func__, - ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + ipsec_address(&sav->sah->saidx.dst, buf, + sizeof(buf)), (u_long) ntohl(sav->spi))); DPRINTF(("%s: %x %x\n", __func__, lastthree[0], lastthree[1])); error = EINVAL; @@ -713,6 +717,7 @@ esp_output( int protoff ) { + char buf[IPSEC_ADDRSTRLEN]; const struct enc_xform *espx; const struct auth_hash *esph; int hlen, rlen, padding, blks, alen, i, roff; @@ -773,14 +778,16 @@ esp_output( default: DPRINTF(("%s: unknown/unsupported protocol family %d, " "SA %s/%08lx\n", __func__, saidx->dst.sa.sa_family, - ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); + ipsec_address(&saidx->dst, buf, sizeof(buf)), + (u_long)ntohl(sav->spi))); ESP_STATINC(ESP_STAT_NOPF); error = EPFNOSUPPORT; goto bad; } if (skip + hlen + rlen + padding + alen > maxpacketsize) { DPRINTF(("%s: packet in SA %s/%08lx got too big (len %u, " - "max len %u)\n", __func__, ipsec_address(&saidx->dst), + "max len %u)\n", __func__, + ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi), skip + hlen + rlen + padding + alen, maxpacketsize)); ESP_STATINC(ESP_STAT_TOOBIG); @@ -794,7 +801,8 @@ esp_output( m = m_clone(m); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, - ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); + ipsec_address(&saidx->dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_HDROPS); error = ENOBUFS; goto bad; @@ -804,7 +812,8 @@ esp_output( mo = m_makespace(m, skip, hlen, &roff); if (mo == NULL) { DPRINTF(("%s: failed to inject %u byte ESP hdr for SA " - "%s/%08lx\n", __func__, hlen, ipsec_address(&saidx->dst), + "%s/%08lx\n", __func__, hlen, + ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); ESP_STATINC(ESP_STAT_HDROPS); /* XXX diffs from openbsd */ error = ENOBUFS; @@ -834,7 +843,8 @@ esp_output( pad = m_pad(m, padding + alen); if (pad == NULL) { DPRINTF(("%s: m_pad failed for SA %s/%08lx\n", __func__, - ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); + ipsec_address(&saidx->dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); m = NULL; /* NB: free'd by m_pad */ error = ENOBUFS; goto bad; @@ -970,9 +980,11 @@ esp_output_cb(struct cryptop *crp) isr = tc->tc_isr; sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi, 0, 0); if (sav == NULL) { + char buf[IPSEC_ADDRSTRLEN]; ESP_STATINC(ESP_STAT_NOTDB); DPRINTF(("%s: SA expired while in crypto (SA %s/%08lx " - "proto %u)\n", __func__, ipsec_address(&tc->tc_dst), + "proto %u)\n", __func__, + ipsec_address(&tc->tc_dst, buf, sizeof(buf)), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); error = ENOBUFS; /*XXX*/ goto bad; Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.37 src/sys/netipsec/xform_ipcomp.c:1.38 --- src/sys/netipsec/xform_ipcomp.c:1.37 Wed Apr 19 03:39:14 2017 +++ src/sys/netipsec/xform_ipcomp.c Thu May 11 05:55:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.38 2017/05/11 05:55:14 ryo Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.37 2017/04/19 03:39:14 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.38 2017/05/11 05:55:14 ryo Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -230,6 +230,7 @@ ipcomp_input(struct mbuf *m, const struc static int ipcomp_input_cb(struct cryptop *crp) { + char buf[IPSEC_ADDRSTRLEN]; struct tdb_crypto *tc; int skip, protoff; struct mbuf *m; @@ -322,7 +323,7 @@ ipcomp_input_cb(struct cryptop *crp) case IPPROTO_ESP: IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("%s: nested ipcomp, IPCA %s/%08lx\n", __func__, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); error = EINVAL; goto bad; @@ -335,8 +336,8 @@ ipcomp_input_cb(struct cryptop *crp) if (error) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, - ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); goto bad; } @@ -375,6 +376,7 @@ ipcomp_output( int protoff ) { + char buf[IPSEC_ADDRSTRLEN]; const struct secasvar *sav; const struct comp_algo *ipcompx; int error, ralen, hlen, maxpacketsize; @@ -417,7 +419,7 @@ ipcomp_output( DPRINTF(("%s: unknown/unsupported protocol family %d" ", IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); error = EPFNOSUPPORT; goto bad; @@ -426,7 +428,7 @@ ipcomp_output( IPCOMP_STATINC(IPCOMP_STAT_TOOBIG); DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, - ipsec_address(&sav->sah->saidx.dst), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi), skip + hlen + ralen, maxpacketsize)); error = EMSGSIZE; @@ -440,7 +442,8 @@ ipcomp_output( if (m == NULL) { IPCOMP_STATINC(IPCOMP_STAT_HDROPS); DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", - __func__, ipsec_address(&sav->sah->saidx.dst), + __func__, + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; @@ -506,6 +509,7 @@ bad: static int ipcomp_output_cb(struct cryptop *crp) { + char buf[IPSEC_ADDRSTRLEN]; struct tdb_crypto *tc; struct ipsecrequest *isr; struct secasvar *sav; @@ -567,8 +571,8 @@ ipcomp_output_cb(struct cryptop *crp) IPCOMP_STATINC(IPCOMP_STAT_WRAP); DPRINTF(("%s: failed to inject IPCOMP header for " "IPCA %s/%08lx\n", __func__, - ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + ipsec_address(&sav->sah->saidx.dst, buf, + sizeof(buf)), (u_long) ntohl(sav->spi))); error = ENOBUFS; goto bad; } @@ -618,8 +622,8 @@ ipcomp_output_cb(struct cryptop *crp) DPRINTF(("ipcomp_output: unknown/unsupported protocol " "family %d, IPCA %s/%08lx\n", sav->sah->saidx.dst.sa.sa_family, - ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); + ipsec_address(&sav->sah->saidx.dst, buf, + sizeof(buf)), (u_long) ntohl(sav->spi))); error = EPFNOSUPPORT; goto bad; } Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.48 src/sys/netipsec/xform_ipip.c:1.49 --- src/sys/netipsec/xform_ipip.c:1.48 Wed Apr 19 03:39:14 2017 +++ src/sys/netipsec/xform_ipip.c Thu May 11 05:55:14 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.48 2017/04/19 03:39:14 ozaki-r Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.49 2017/05/11 05:55:14 ryo Exp $ */ /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.48 2017/04/19 03:39:14 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.49 2017/05/11 05:55:14 ryo Exp $"); /* * IP-inside-IP processing @@ -402,6 +402,7 @@ ipip_output( int protoff ) { + char buf[IPSEC_ADDRSTRLEN]; const struct secasvar *sav; uint8_t tp, otos; struct secasindex *saidx; @@ -434,7 +435,7 @@ ipip_output( saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) { DPRINTF(("%s: unspecified tunnel endpoint " "address in SA %s/%08lx\n", __func__, - ipsec_address(&saidx->dst), + ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); IPIP_STATINC(IPIP_STAT_UNSPEC); error = EINVAL; @@ -508,7 +509,7 @@ ipip_output( IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) { DPRINTF(("%s: unspecified tunnel endpoint " "address in SA %s/%08lx\n", __func__, - ipsec_address(&saidx->dst), + ipsec_address(&saidx->dst, buf, sizeof(buf)), (u_long) ntohl(sav->spi))); IPIP_STATINC(IPIP_STAT_UNSPEC); error = ENOBUFS;