summaryrefslogtreecommitdiff
path: root/sys/netipsec/xform_esp.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netipsec/xform_esp.c')
-rw-r--r--sys/netipsec/xform_esp.c27
1 files changed, 16 insertions, 11 deletions
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 3c5ca6b65268..7eda6450bcbe 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -272,18 +272,18 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
struct newesp *esp;
uint8_t *ivp;
uint64_t cryptoid;
- int plen, alen, hlen;
+ int alen, error, hlen, plen;
IPSEC_ASSERT(sav != NULL, ("null SA"));
IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform"));
+ error = EINVAL;
/* Valid IP Packet length ? */
if ( (skip&3) || (m->m_pkthdr.len&3) ){
DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
__func__, skip, m->m_pkthdr.len));
ESPSTAT_INC(esps_badilen);
- m_freem(m);
- return EINVAL;
+ goto bad;
}
/* XXX don't pullup, just copy header */
IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
@@ -314,8 +314,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
(u_long)ntohl(sav->spi)));
ESPSTAT_INC(esps_badilen);
- m_freem(m);
- return EINVAL;
+ goto bad;
}
/*
@@ -328,8 +327,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: packet replay check for %s\n", __func__,
ipsec_sa2str(sav, buf, sizeof(buf))));
ESPSTAT_INC(esps_replay);
- m_freem(m);
- return (EACCES);
+ error = EACCES;
+ goto bad;
}
}
cryptoid = sav->tdb_cryptoid;
@@ -344,8 +343,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
ESPSTAT_INC(esps_crypto);
- m_freem(m);
- return ENOBUFS;
+ error = ENOBUFS;
+ goto bad;
}
/* Get IPsec-specific opaque pointer */
@@ -354,8 +353,8 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
DPRINTF(("%s: failed to allocate xform_data\n", __func__));
ESPSTAT_INC(esps_crypto);
crypto_freereq(crp);
- m_freem(m);
- return ENOBUFS;
+ error = ENOBUFS;
+ goto bad;
}
if (esph != NULL) {
@@ -425,6 +424,10 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
crde->crd_alg = espx->type;
return (crypto_dispatch(crp));
+bad:
+ m_freem(m);
+ key_freesav(&sav);
+ return (error);
}
/*
@@ -858,6 +861,8 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
bad:
if (m)
m_freem(m);
+ key_freesav(&sav);
+ key_freesp(&sp);
return (error);
}
/*
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-03 09:08:36 +0000