From 9c5f84c723204804944fefba4dde238dac13e646 Mon Sep 17 00:00:00 2001 From: mestre Date: Fri, 14 Sep 2018 23:40:10 +0000 Subject: [PATCH] Initialize the TDB to NULL in ipsec_common_input() and ipsec_{input,output}_cb() so that in the case of sending or receiving a bogus mbuf (NULL) we don't end up trying to dereference the TDB, while being an uninitialized pointer, to increase the drops. Coverity IDs 1473312, 1473313 and 1473317. OK mpi@ visa@ --- sys/netinet/ipsec_input.c | 6 +++--- sys/netinet/ipsec_output.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 785b90b9009..6bffa82cf0b 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.166 2018/08/28 15:15:02 mpi Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.167 2018/09/14 23:40:10 mestre Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -162,7 +162,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, } while (0) union sockaddr_union dst_address; - struct tdb *tdbp; + struct tdb *tdbp = NULL; struct ifnet *encif; u_int32_t spi; u_int16_t cpi; @@ -352,7 +352,7 @@ ipsec_input_cb(struct cryptop *crp) { struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque; struct mbuf *m = (struct mbuf *) crp->crp_buf; - struct tdb *tdb; + struct tdb *tdb = NULL; int clen, error; if (m == NULL) { diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index c477793a01f..28ff5b92781 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.74 2018/08/28 15:15:02 mpi Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.75 2018/09/14 23:40:10 mestre Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -388,7 +388,7 @@ ipsec_output_cb(struct cryptop *crp) { struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque; struct mbuf *m = (struct mbuf *) crp->crp_buf; - struct tdb *tdb; + struct tdb *tdb = NULL; int error, ilen, olen; if (m == NULL) { -- 2.20.1