From atc@death.ath.cx  Tue Apr  8 11:14:34 2008
Return-Path: <atc@death.ath.cx>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8E2C01065685
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Apr 2008 11:14:34 +0000 (UTC)
	(envelope-from atc@death.ath.cx)
Received: from death.ath.cx (unknown [IPv6:2001:b121:4::213])
	by mx1.freebsd.org (Postfix) with ESMTP id 042D88FC6E
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Apr 2008 11:14:33 +0000 (UTC)
	(envelope-from atc@death.ath.cx)
Received: from death.ath.cx (localhost [127.0.0.1])
	by death.ath.cx (8.13.8/8.13.8) with ESMTP id m38BEUVE091664
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 8 Apr 2008 19:14:31 +0800 (CST)
	(envelope-from atc@death.ath.cx)
Received: (from root@localhost)
	by death.ath.cx (8.13.8/8.13.8/Submit) id m38BEU7k091663;
	Tue, 8 Apr 2008 19:14:30 +0800 (CST)
	(envelope-from atc)
Message-Id: <200804081114.m38BEU7k091663@death.ath.cx>
Date: Tue, 8 Apr 2008 19:14:30 +0800 (CST)
From: susan.lan@zyxel.com.tw
Reply-To: susan.lan@zyxel.com.tw
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Possible memory overwrite for IPv6 IPsec	
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         122565
>Category:       kern
>Synopsis:       [ipsec] [ip6] Possible memory overwrite for IPv6 IPsec
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 08 11:20:01 UTC 2008
>Closed-Date:    Sat Nov 06 15:57:37 UTC 2010
>Last-Modified:  Sat Nov  6 16:00:21 UTC 2010
>Originator:     Yi-Wen Lan
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
	None
>Description:
	struct secashead defined in keydb.h line 89:

/* Security Association Data Base */
struct secashead {
   LIST_ENTRY(secashead) chain;

   struct secasindex saidx;

   struct secident *idents;    /* source identity */
   struct secident *identd;    /* destination identity */
                   /* XXX I don't know how to use them. */

   u_int8_t state;            /* MATURE or DEAD. */
   LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
                   /* SA chain */
                   /* The first of this list is newer SA */

   struct route sa_route;        /* route cache */
};

The last field "sa_route" is "struct route", whose space is not enough for IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field could possibly be assigned with an IPv6 address.

>How-To-Repeat:
	None
>Fix:
	To enlarge the field as struct route_in6, which could accommodate both IPv4 and IPv6 address.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Tue Apr 8 12:26:26 UTC 2008 
Responsible-Changed-Why:  
mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122565 
State-Changed-From-To: open->analyzed 
State-Changed-By: bz 
State-Changed-When: Tue Jan 27 13:17:15 UTC 2009 
State-Changed-Why:  
Read the code, confirmed the problem but from what I see 
the entire sa_route handling needs a general overhaul. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122565 

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122565: [ipsec] [ip6] Possible memory overwrite for IPv6
 IPsec
Date: Tue, 27 Jan 2009 13:17:09 +0000 (UTC)

 From what I can see there is a lot of c&p from the old KAME code here,
 when comparing with a -r 105197 head/sys checkout.
 
 Apart from ip_ipsec_mtu() the sa_route doesn't seem to be used
 anywhere directly (ignoring accessor function for maintaining the
 value, like key_sa_routechange()).
 
 Initializing ro_dst for v6 the way it is done in ipsec6_output_tunnel()
 seems bogus but I am not sure what we should use as backing store
 for state->dst. We may want to somehow keep the pointer for state->dst
 but not update sa_route->ro_dst along with it. Ideally the caller
 would be responsible for providing the memory to store the value.
 So yes, there may be a possible memory overwrite in
 ipsec6_output_tunnel().
 
 
 Apart from this, we may want to entirely re-consider sa_route usage and
 assimilate v4/v6 functions/handling?
 
 -- 
 Bjoern A. Zeeb                      The greatest risk is not taking one.

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, susan.lan@zyxel.com.tw
Cc:  
Subject: Re: kern/122565: [ipsec] [ip6] Possible memory overwrite for IPv6
 IPsec
Date: Thu, 14 Oct 2010 15:47:37 +0000 (UTC)

 Hey,
 
 finally getting around to do a kind of proper fix. You can also
 temporary fetch it from here:
 
 http://people.freebsd.org/~bz/20101014-01-ipsec-ro6-pr122565.diff
 
 Would be great if someone could test/review it as well and report
 back.  So far I know it compiles but not more;-)
 
 !
 ! Make the route cache a union to be able to hold both the
 ! legacy and IPv6 address.
 !
 ! Reviewed by: 
 ! PR:		kern/122565
 ! MFC After:	2 weeks
 !
 Index: sys/netinet/ip_ipsec.c
 ===================================================================
 --- sys/netinet/ip_ipsec.c	(revision 213837)
 +++ sys/netinet/ip_ipsec.c	(working copy)
 @@ -239,7 +239,7 @@ ip_ipsec_mtu(struct mbuf *m, int mtu)
   		if (sp->req != NULL &&
   		    sp->req->sav != NULL &&
   		    sp->req->sav->sah != NULL) {
 -			ro = &sp->req->sav->sah->sa_route;
 +			ro = &sp->req->sav->sah->route_cache.sa_route;
   			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
   				mtu =
   				    ro->ro_rt->rt_rmx.rmx_mtu ?
 Index: sys/netinet6/ip6_ipsec.c
 ===================================================================
 --- sys/netinet6/ip6_ipsec.c	(revision 213837)
 +++ sys/netinet6/ip6_ipsec.c	(working copy)
 @@ -366,7 +366,7 @@ ip6_ipsec_mtu(struct mbuf *m)
   		if (sp->req != NULL &&
   		    sp->req->sav != NULL &&
   		    sp->req->sav->sah != NULL) {
 -			ro = &sp->req->sav->sah->sa_route;
 +			ro = &sp->req->sav->sah->route_cache.sa_route;
   			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
   				mtu =
   				    ro->ro_rt->rt_rmx.rmx_mtu ?
 Index: sys/netipsec/keydb.h
 ===================================================================
 --- sys/netipsec/keydb.h	(revision 213837)
 +++ sys/netipsec/keydb.h	(working copy)
 @@ -85,6 +85,12 @@ struct seclifetime {
   	u_int64_t usetime;
   };
 
 +union sa_route_union {
 +	struct route		sa_route;
 +	struct route		sin_route;	/* Duplicate for consistency. */
 +	struct route_in6	sin6_route;
 +};
 +
   /* Security Association Data Base */
   struct secashead {
   	LIST_ENTRY(secashead) chain;
 @@ -100,7 +106,7 @@ struct secashead {
   					/* SA chain */
   					/* The first of this list is newer SA */
 
 -	struct route sa_route;		/* route cache */
 +	union sa_route_union route_cache;
   };
 
   struct xformsw;
 Index: sys/netipsec/ipsec_output.c
 ===================================================================
 --- sys/netipsec/ipsec_output.c	(revision 213837)
 +++ sys/netipsec/ipsec_output.c	(working copy)
 @@ -829,7 +829,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *st
   		}
   		ip6 = mtod(m, struct ip6_hdr *);
 
 -		state->ro = &isr->sav->sah->sa_route;
 +		state->ro =
 +		    (struct route *)&isr->sav->sah->route_cache.sin6_route;
   		state->dst = (struct sockaddr *)&state->ro->ro_dst;
   		dst6 = (struct sockaddr_in6 *)state->dst;
   		if (state->ro->ro_rt
 Index: sys/netipsec/key.c
 ===================================================================
 --- sys/netipsec/key.c	(revision 213837)
 +++ sys/netipsec/key.c	(working copy)
 @@ -2758,9 +2758,9 @@ key_delsah(sah)
   		/* remove from tree of SA index */
   		if (__LIST_CHAINED(sah))
   			LIST_REMOVE(sah, chain);
 -		if (sah->sa_route.ro_rt) {
 -			RTFREE(sah->sa_route.ro_rt);
 -			sah->sa_route.ro_rt = (struct rtentry *)NULL;
 +		if (sah->route_cache.sa_route.ro_rt) {
 +			RTFREE(sah->route_cache.sa_route.ro_rt);
 +			sah->route_cache.sa_route.ro_rt = (struct rtentry *)NULL;
   		}
   		free(sah, M_IPSEC_SAH);
   	}
 @@ -7925,7 +7925,7 @@ key_sa_routechange(dst)
 
   	SAHTREE_LOCK();
   	LIST_FOREACH(sah, &V_sahtree, chain) {
 -		ro = &sah->sa_route;
 +		ro = &sah->route_cache.sa_route;
   		if (ro->ro_rt && dst->sa_len == ro->ro_dst.sa_len
   		 && bcmp(dst, &ro->ro_dst, dst->sa_len) == 0) {
   			RTFREE(ro->ro_rt);
State-Changed-From-To: analyzed->feedback 
State-Changed-By: bz 
State-Changed-When: Thu Oct 14 16:09:06 UTC 2010 
State-Changed-Why:  
Patched proposed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122565 
State-Changed-From-To: feedback->patched 
State-Changed-By: bz 
State-Changed-When: Sat Oct 23 20:36:15 UTC 2010 
State-Changed-Why:  
Patch comitted to HEAD with r214250. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122565 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122565: commit references a PR
Date: Sat, 23 Oct 2010 20:35:47 +0000 (UTC)

 Author: bz
 Date: Sat Oct 23 20:35:40 2010
 New Revision: 214250
 URL: http://svn.freebsd.org/changeset/base/214250
 
 Log:
   Make the IPsec SADB embedded route cache a union to be able to hold both the
   legacy and IPv6 route destination address.
   Previously in case of IPv6, there was a memory overwrite due to not enough
   space for the IPv6 address.
   
   PR:		kern/122565
   MFC After:	2 weeks
 
 Modified:
   head/sys/netinet/ip_ipsec.c
   head/sys/netinet6/ip6_ipsec.c
   head/sys/netipsec/ipsec_output.c
   head/sys/netipsec/key.c
   head/sys/netipsec/keydb.h
 
 Modified: head/sys/netinet/ip_ipsec.c
 ==============================================================================
 --- head/sys/netinet/ip_ipsec.c	Sat Oct 23 16:59:39 2010	(r214249)
 +++ head/sys/netinet/ip_ipsec.c	Sat Oct 23 20:35:40 2010	(r214250)
 @@ -239,7 +239,7 @@ ip_ipsec_mtu(struct mbuf *m, int mtu)
  		if (sp->req != NULL &&
  		    sp->req->sav != NULL &&
  		    sp->req->sav->sah != NULL) {
 -			ro = &sp->req->sav->sah->sa_route;
 +			ro = &sp->req->sav->sah->route_cache.sa_route;
  			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
  				mtu =
  				    ro->ro_rt->rt_rmx.rmx_mtu ?
 
 Modified: head/sys/netinet6/ip6_ipsec.c
 ==============================================================================
 --- head/sys/netinet6/ip6_ipsec.c	Sat Oct 23 16:59:39 2010	(r214249)
 +++ head/sys/netinet6/ip6_ipsec.c	Sat Oct 23 20:35:40 2010	(r214250)
 @@ -366,7 +366,7 @@ ip6_ipsec_mtu(struct mbuf *m)
  		if (sp->req != NULL &&
  		    sp->req->sav != NULL &&
  		    sp->req->sav->sah != NULL) {
 -			ro = &sp->req->sav->sah->sa_route;
 +			ro = &sp->req->sav->sah->route_cache.sa_route;
  			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
  				mtu =
  				    ro->ro_rt->rt_rmx.rmx_mtu ?
 
 Modified: head/sys/netipsec/ipsec_output.c
 ==============================================================================
 --- head/sys/netipsec/ipsec_output.c	Sat Oct 23 16:59:39 2010	(r214249)
 +++ head/sys/netipsec/ipsec_output.c	Sat Oct 23 20:35:40 2010	(r214250)
 @@ -829,7 +829,8 @@ ipsec6_output_tunnel(struct ipsec_output
  		}
  		ip6 = mtod(m, struct ip6_hdr *);
  
 -		state->ro = &isr->sav->sah->sa_route;
 +		state->ro =
 +		    (struct route *)&isr->sav->sah->route_cache.sin6_route;
  		state->dst = (struct sockaddr *)&state->ro->ro_dst;
  		dst6 = (struct sockaddr_in6 *)state->dst;
  		if (state->ro->ro_rt
 
 Modified: head/sys/netipsec/key.c
 ==============================================================================
 --- head/sys/netipsec/key.c	Sat Oct 23 16:59:39 2010	(r214249)
 +++ head/sys/netipsec/key.c	Sat Oct 23 20:35:40 2010	(r214250)
 @@ -2758,9 +2758,9 @@ key_delsah(sah)
  		/* remove from tree of SA index */
  		if (__LIST_CHAINED(sah))
  			LIST_REMOVE(sah, chain);
 -		if (sah->sa_route.ro_rt) {
 -			RTFREE(sah->sa_route.ro_rt);
 -			sah->sa_route.ro_rt = (struct rtentry *)NULL;
 +		if (sah->route_cache.sa_route.ro_rt) {
 +			RTFREE(sah->route_cache.sa_route.ro_rt);
 +			sah->route_cache.sa_route.ro_rt = (struct rtentry *)NULL;
  		}
  		free(sah, M_IPSEC_SAH);
  	}
 @@ -7925,7 +7925,7 @@ key_sa_routechange(dst)
  
  	SAHTREE_LOCK();
  	LIST_FOREACH(sah, &V_sahtree, chain) {
 -		ro = &sah->sa_route;
 +		ro = &sah->route_cache.sa_route;
  		if (ro->ro_rt && dst->sa_len == ro->ro_dst.sa_len
  		 && bcmp(dst, &ro->ro_dst, dst->sa_len) == 0) {
  			RTFREE(ro->ro_rt);
 
 Modified: head/sys/netipsec/keydb.h
 ==============================================================================
 --- head/sys/netipsec/keydb.h	Sat Oct 23 16:59:39 2010	(r214249)
 +++ head/sys/netipsec/keydb.h	Sat Oct 23 20:35:40 2010	(r214250)
 @@ -85,6 +85,12 @@ struct seclifetime {
  	u_int64_t usetime;
  };
  
 +union sa_route_union {
 +	struct route		sa_route;
 +	struct route		sin_route;	/* Duplicate for consistency. */
 +	struct route_in6	sin6_route;
 +};
 +
  /* Security Association Data Base */
  struct secashead {
  	LIST_ENTRY(secashead) chain;
 @@ -100,7 +106,7 @@ struct secashead {
  					/* SA chain */
  					/* The first of this list is newer SA */
  
 -	struct route sa_route;		/* route cache */
 +	union sa_route_union route_cache;
  };
  
  struct xformsw;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122565: commit references a PR
Date: Sat,  6 Nov 2010 14:46:32 +0000 (UTC)

 Author: bz
 Date: Sat Nov  6 14:46:24 2010
 New Revision: 214882
 URL: http://svn.freebsd.org/changeset/base/214882
 
 Log:
   MFC r214250:
   
     Make the IPsec SADB embedded route cache a union to be able to hold both the
     legacy and IPv6 route destination address.
     Previously in case of IPv6, there was a memory overwrite due to not enough
     space for the IPv6 address.
   
   PR:		kern/122565
 
 Modified:
   stable/8/sys/netinet/ip_ipsec.c
   stable/8/sys/netinet6/ip6_ipsec.c
   stable/8/sys/netipsec/ipsec_output.c
   stable/8/sys/netipsec/key.c
   stable/8/sys/netipsec/keydb.h
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
 
 Modified: stable/8/sys/netinet/ip_ipsec.c
 ==============================================================================
 --- stable/8/sys/netinet/ip_ipsec.c	Sat Nov  6 14:38:57 2010	(r214881)
 +++ stable/8/sys/netinet/ip_ipsec.c	Sat Nov  6 14:46:24 2010	(r214882)
 @@ -239,7 +239,7 @@ ip_ipsec_mtu(struct mbuf *m, int mtu)
  		if (sp->req != NULL &&
  		    sp->req->sav != NULL &&
  		    sp->req->sav->sah != NULL) {
 -			ro = &sp->req->sav->sah->sa_route;
 +			ro = &sp->req->sav->sah->route_cache.sa_route;
  			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
  				mtu =
  				    ro->ro_rt->rt_rmx.rmx_mtu ?
 
 Modified: stable/8/sys/netinet6/ip6_ipsec.c
 ==============================================================================
 --- stable/8/sys/netinet6/ip6_ipsec.c	Sat Nov  6 14:38:57 2010	(r214881)
 +++ stable/8/sys/netinet6/ip6_ipsec.c	Sat Nov  6 14:46:24 2010	(r214882)
 @@ -366,7 +366,7 @@ ip6_ipsec_mtu(struct mbuf *m)
  		if (sp->req != NULL &&
  		    sp->req->sav != NULL &&
  		    sp->req->sav->sah != NULL) {
 -			ro = &sp->req->sav->sah->sa_route;
 +			ro = &sp->req->sav->sah->route_cache.sa_route;
  			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
  				mtu =
  				    ro->ro_rt->rt_rmx.rmx_mtu ?
 
 Modified: stable/8/sys/netipsec/ipsec_output.c
 ==============================================================================
 --- stable/8/sys/netipsec/ipsec_output.c	Sat Nov  6 14:38:57 2010	(r214881)
 +++ stable/8/sys/netipsec/ipsec_output.c	Sat Nov  6 14:46:24 2010	(r214882)
 @@ -829,7 +829,8 @@ ipsec6_output_tunnel(struct ipsec_output
  		}
  		ip6 = mtod(m, struct ip6_hdr *);
  
 -		state->ro = &isr->sav->sah->sa_route;
 +		state->ro =
 +		    (struct route *)&isr->sav->sah->route_cache.sin6_route;
  		state->dst = (struct sockaddr *)&state->ro->ro_dst;
  		dst6 = (struct sockaddr_in6 *)state->dst;
  		if (state->ro->ro_rt
 
 Modified: stable/8/sys/netipsec/key.c
 ==============================================================================
 --- stable/8/sys/netipsec/key.c	Sat Nov  6 14:38:57 2010	(r214881)
 +++ stable/8/sys/netipsec/key.c	Sat Nov  6 14:46:24 2010	(r214882)
 @@ -2767,9 +2767,9 @@ key_delsah(sah)
  		/* remove from tree of SA index */
  		if (__LIST_CHAINED(sah))
  			LIST_REMOVE(sah, chain);
 -		if (sah->sa_route.ro_rt) {
 -			RTFREE(sah->sa_route.ro_rt);
 -			sah->sa_route.ro_rt = (struct rtentry *)NULL;
 +		if (sah->route_cache.sa_route.ro_rt) {
 +			RTFREE(sah->route_cache.sa_route.ro_rt);
 +			sah->route_cache.sa_route.ro_rt = (struct rtentry *)NULL;
  		}
  		free(sah, M_IPSEC_SAH);
  	}
 @@ -7933,7 +7933,7 @@ key_sa_routechange(dst)
  
  	SAHTREE_LOCK();
  	LIST_FOREACH(sah, &V_sahtree, chain) {
 -		ro = &sah->sa_route;
 +		ro = &sah->route_cache.sa_route;
  		if (ro->ro_rt && dst->sa_len == ro->ro_dst.sa_len
  		 && bcmp(dst, &ro->ro_dst, dst->sa_len) == 0) {
  			RTFREE(ro->ro_rt);
 
 Modified: stable/8/sys/netipsec/keydb.h
 ==============================================================================
 --- stable/8/sys/netipsec/keydb.h	Sat Nov  6 14:38:57 2010	(r214881)
 +++ stable/8/sys/netipsec/keydb.h	Sat Nov  6 14:46:24 2010	(r214882)
 @@ -85,6 +85,12 @@ struct seclifetime {
  	u_int64_t usetime;
  };
  
 +union sa_route_union {
 +	struct route		sa_route;
 +	struct route		sin_route;	/* Duplicate for consistency. */
 +	struct route_in6	sin6_route;
 +};
 +
  /* Security Association Data Base */
  struct secashead {
  	LIST_ENTRY(secashead) chain;
 @@ -100,7 +106,7 @@ struct secashead {
  					/* SA chain */
  					/* The first of this list is newer SA */
  
 -	struct route sa_route;		/* route cache */
 +	union sa_route_union route_cache;
  };
  
  struct xformsw;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Sat Nov 6 15:57:08 UTC 2010 
State-Changed-Why:  
A fix has been merged to stable/7 and 8.  Thanks a lot for reporting. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122565 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122565: commit references a PR
Date: Sat,  6 Nov 2010 15:56:52 +0000 (UTC)

 Author: bz
 Date: Sat Nov  6 15:56:44 2010
 New Revision: 214891
 URL: http://svn.freebsd.org/changeset/base/214891
 
 Log:
   MFC r214250:
   
     Make the IPsec SADB embedded route cache a union to be able to hold both the
     legacy and IPv6 route destination address.
     Previously in case of IPv6, there was a memory overwrite due to not enough
     space for the IPv6 address.
   
   PR:		kern/122565
 
 Modified:
   stable/7/sys/netinet/ip_ipsec.c
   stable/7/sys/netinet6/ip6_ipsec.c
   stable/7/sys/netipsec/ipsec_output.c
   stable/7/sys/netipsec/key.c
   stable/7/sys/netipsec/keydb.h
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/netinet/ip_ipsec.c
 ==============================================================================
 --- stable/7/sys/netinet/ip_ipsec.c	Sat Nov  6 15:49:59 2010	(r214890)
 +++ stable/7/sys/netinet/ip_ipsec.c	Sat Nov  6 15:56:44 2010	(r214891)
 @@ -220,7 +220,7 @@ ip_ipsec_mtu(struct mbuf *m, int mtu)
  		if (sp->req != NULL &&
  		    sp->req->sav != NULL &&
  		    sp->req->sav->sah != NULL) {
 -			ro = &sp->req->sav->sah->sa_route;
 +			ro = &sp->req->sav->sah->route_cache.sa_route;
  			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
  				mtu =
  				    ro->ro_rt->rt_rmx.rmx_mtu ?
 
 Modified: stable/7/sys/netinet6/ip6_ipsec.c
 ==============================================================================
 --- stable/7/sys/netinet6/ip6_ipsec.c	Sat Nov  6 15:49:59 2010	(r214890)
 +++ stable/7/sys/netinet6/ip6_ipsec.c	Sat Nov  6 15:56:44 2010	(r214891)
 @@ -346,7 +346,7 @@ ip6_ipsec_mtu(struct mbuf *m)
  		if (sp->req != NULL &&
  		    sp->req->sav != NULL &&
  		    sp->req->sav->sah != NULL) {
 -			ro = &sp->req->sav->sah->sa_route;
 +			ro = &sp->req->sav->sah->route_cache.sa_route;
  			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
  				mtu =
  				    ro->ro_rt->rt_rmx.rmx_mtu ?
 
 Modified: stable/7/sys/netipsec/ipsec_output.c
 ==============================================================================
 --- stable/7/sys/netipsec/ipsec_output.c	Sat Nov  6 15:49:59 2010	(r214890)
 +++ stable/7/sys/netipsec/ipsec_output.c	Sat Nov  6 15:56:44 2010	(r214891)
 @@ -773,7 +773,8 @@ ipsec6_output_tunnel(struct ipsec_output
  		}
  		ip6 = mtod(m, struct ip6_hdr *);
  
 -		state->ro = &isr->sav->sah->sa_route;
 +		state->ro =
 +		    (struct route *)&isr->sav->sah->route_cache.sin6_route;
  		state->dst = (struct sockaddr *)&state->ro->ro_dst;
  		dst6 = (struct sockaddr_in6 *)state->dst;
  		if (state->ro->ro_rt
 
 Modified: stable/7/sys/netipsec/key.c
 ==============================================================================
 --- stable/7/sys/netipsec/key.c	Sat Nov  6 15:49:59 2010	(r214890)
 +++ stable/7/sys/netipsec/key.c	Sat Nov  6 15:56:44 2010	(r214891)
 @@ -2674,9 +2674,9 @@ key_delsah(sah)
  		/* remove from tree of SA index */
  		if (__LIST_CHAINED(sah))
  			LIST_REMOVE(sah, chain);
 -		if (sah->sa_route.ro_rt) {
 -			RTFREE(sah->sa_route.ro_rt);
 -			sah->sa_route.ro_rt = (struct rtentry *)NULL;
 +		if (sah->route_cache.sa_route.ro_rt) {
 +			RTFREE(sah->route_cache.sa_route.ro_rt);
 +			sah->route_cache.sa_route.ro_rt = (struct rtentry *)NULL;
  		}
  		free(sah, M_IPSEC_SAH);
  	}
 @@ -7196,7 +7196,7 @@ key_sa_routechange(dst)
  
  	SAHTREE_LOCK();
  	LIST_FOREACH(sah, &sahtree, chain) {
 -		ro = &sah->sa_route;
 +		ro = &sah->route_cache.sa_route;
  		if (ro->ro_rt && dst->sa_len == ro->ro_dst.sa_len
  		 && bcmp(dst, &ro->ro_dst, dst->sa_len) == 0) {
  			RTFREE(ro->ro_rt);
 
 Modified: stable/7/sys/netipsec/keydb.h
 ==============================================================================
 --- stable/7/sys/netipsec/keydb.h	Sat Nov  6 15:49:59 2010	(r214890)
 +++ stable/7/sys/netipsec/keydb.h	Sat Nov  6 15:56:44 2010	(r214891)
 @@ -85,6 +85,12 @@ struct seclifetime {
  	u_int64_t usetime;
  };
  
 +union sa_route_union {
 +	struct route		sa_route;
 +	struct route		sin_route;	/* Duplicate for consistency. */
 +	struct route_in6	sin6_route;
 +};
 +
  /* Security Association Data Base */
  struct secashead {
  	LIST_ENTRY(secashead) chain;
 @@ -100,7 +106,7 @@ struct secashead {
  					/* SA chain */
  					/* The first of this list is newer SA */
  
 -	struct route sa_route;		/* route cache */
 +	union sa_route_union route_cache;
  };
  
  struct xformsw;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
