git: 90aacac54b83 - stable/13 - tcpmd5: return ENOENT when security association not found

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Robert Wing <rew_at_FreeBSD.org>
Date: Thu, 10 Feb 2022 19:30:35 UTC

The branch stable/13 has been updated by rew:

URL: https://cgit.FreeBSD.org/src/commit/?id=90aacac54b8336c5c36f64001d62ab2dd581c0c2

commit 90aacac54b8336c5c36f64001d62ab2dd581c0c2
Author:     Robert Wing <rew@FreeBSD.org>
AuthorDate: 2022-01-09 01:07:10 +0000
Commit:     Robert Wing <rew@FreeBSD.org>
CommitDate: 2022-02-10 19:28:54 +0000

    tcpmd5: return ENOENT when security association not found
    
    Return ENOENT from tcp_ipsec_input() when a security association is not
    found. This allows callers of TCP_MD5_INPUT() to differentiate between a
    security association not found and receiving a bad signature.
    
    Also return ENOENT from tcp_ipsec_output() for consistency.
    
    Reviewed by:    ae
    Sponsored by:   nepustil.net
    Sponsored by:   Klara Inc.
    Differential Revision:  https://reviews.freebsd.org/D33226
    
    (cherry picked from commit 91d388119ae229702538b96d79cf76556cf0ecf4)
---
 sys/netipsec/xform_tcp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c
index 54681f7df5d2..b53544cd00fb 100644
--- a/sys/netipsec/xform_tcp.c
+++ b/sys/netipsec/xform_tcp.c
@@ -251,7 +251,7 @@ setsockaddrs(const struct mbuf *m, union sockaddr_union *src,
  * th		pointer to TCP header
  * buf		pointer to storage for computed MD5 digest
  *
- * Return 0 if successful, otherwise return -1.
+ * Return 0 if successful, otherwise return error code.
  */
 static int
 tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf)
@@ -267,7 +267,7 @@ tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf)
 	sav = key_allocsa_tcpmd5(&saidx);
 	if (sav == NULL) {
 		KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
-		return (EACCES);
+		return (ENOENT);
 	}
 	/*
 	 * tcp_input() operates with TCP header fields in host
@@ -307,7 +307,7 @@ tcp_ipsec_output(struct mbuf *m, struct tcphdr *th, u_char *buf)
 	sav = key_allocsa_tcpmd5(&saidx);
 	if (sav == NULL) {
 		KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
-		return (EACCES);
+		return (ENOENT);
 	}
 	tcp_signature_compute(m, th, sav, buf);
 	key_freesav(&sav);