6616749 Stronger IPsec algorithm existence checks needed.

6618673 IPsec per-socket policy for IPv6 no longer works, causes panics in bypass + no-global case.
author: danmcd <none@none> 2007-10-19 15:23:10 -0700
committer: danmcd <none@none> 2007-10-19 15:23:10 -0700
commit: 10b3fbf593a6678eec9b50a01903ef4eb73111e4 (patch)
tree: ab81dccbb54a3ac0cd1554734ba4b46bec646692 /usr/src
parent: 57607821588eaddbfd5479d2ed83380b4553f15d (diff)
download: illumos-gate-10b3fbf593a6678eec9b50a01903ef4eb73111e4.tar.gz
2 files changed, 5 insertions, 1 deletions
diff --git a/usr/src/uts/common/inet/ip/ip.c b/usr/src/uts/common/inet/ip/ip.c
index 7b90000ab7..fbfe8f8f68 100644
--- a/usr/src/uts/common/inet/ip/ip.c
+++ b/usr/src/uts/common/inet/ip/ip.c
@@ -10201,7 +10201,7 @@ ipsec_set_req(cred_t *cr, conn_t *connp, ipsec_req_t *req)
 	if (pout4 == NULL)
 		goto enomem;
 
-	if (connp->conn_pkt_isv6) {
+	if (connp->conn_af_isv6) {
 		/*
 		 * We're looking at a v6 socket, also allocate the
 		 * v6-specific entries...
diff --git a/usr/src/uts/common/inet/ip/sadb.c b/usr/src/uts/common/inet/ip/sadb.c
index 2af693d1d0..ace5a3df04 100644
--- a/usr/src/uts/common/inet/ip/sadb.c
+++ b/usr/src/uts/common/inet/ip/sadb.c
@@ -4618,6 +4618,10 @@ sadb_new_algdesc(uint8_t *start, uint8_t *limit,
 	mutex_enter(&ipss->ipsec_alg_lock);
 	algp = ipss->ipsec_alglists[(algtype == SADB_X_ALGTYPE_AUTH) ?
 	    IPSEC_ALG_AUTH : IPSEC_ALG_ENCR][alg];
+	if (algp == NULL) {
+		mutex_exit(&ipss->ipsec_alg_lock);
+		return (NULL);	/* Algorithm doesn't exist.  Fail gracefully. */
+	}
 	if (minbits < algp->alg_ef_minbits)
 		minbits = algp->alg_ef_minbits;
 	if (maxbits > algp->alg_ef_maxbits)
author	danmcd <none@none>	2007-10-19 15:23:10 -0700
committer	danmcd <none@none>	2007-10-19 15:23:10 -0700
commit	10b3fbf593a6678eec9b50a01903ef4eb73111e4 (patch)
tree	ab81dccbb54a3ac0cd1554734ba4b46bec646692 /usr/src
parent	57607821588eaddbfd5479d2ed83380b4553f15d (diff)
download	illumos-gate-10b3fbf593a6678eec9b50a01903ef4eb73111e4.tar.gz