[Swan-dev] IKEv2: fix a crash when only one endpoint specifies policy-label=
Wewegama, Kavinda
Kavinda.Wewegama at forcepoint.com
Wed Mar 10 18:36:00 UTC 2021
Hi Hugh,
I think it makes sense to replace the final IF with just a `return`:
if (sec_label.len == 0) {
/* This endpoint is not configured to use labeled IPsec. */
if (!tsi->contains_sec_label && !tsr->contains_sec_label) {
/* No sec_label was found and none was expected. */
return NULL;
}
/*
* Error: This end is *not* configured to use labeled
* IPsec but the peer is.
*/
return &null_shunk;
}
Thanks for taking a look at this and providing feedback!
-Kavinda
> -----Original Message-----
> From: Swan-dev <swan-dev-bounces at lists.libreswan.org> On Behalf Of D.
> Hugh Redelmeier
> Sent: Wednesday, March 10, 2021 12:09 PM
> To: swan-dev at lists.libreswan.org
> Subject: EXTERNAL: Re: [Swan-dev] IKEv2: fix a crash when only one
> endpoint specifies policy-label=
>
> | commit 2a2376e5bfa6c19e9a334e2a651b54135e64ab21
> | Author: Kavinda Wewegama <kavinda.wewegama at forcepointgov.com>
> | Date: Tue Mar 9 21:38:55 2021 -0500
> |
> | IKEv2: fix a crash when only one endpoint specifies policy-label=
> |
> | Signed-off-by: Paul Wouters <pwouters at redhat.com>
>
> Code is extracted from score_ends_seclabel:
>
> if (sec_label.len == 0) {
> /* This endpoint is not configured to use labeled IPsec. */
> if (!tsi->contains_sec_label && !tsr->contains_sec_label) {
> /* No sec_label was found and none was expected? */
> return NULL; /* success: no label, as expected */
> }
>
> if (tsi->contains_sec_label || tsr->contains_sec_label) {
> /*
> * Error: This end is *not* configured to use labeled
> * IPsec but the peer is.
> */
> return &null_shunk;
> }
> }
>
> /* This endpoint is configured to use labeled IPsec. */
>
> This code confuses me.
>
> The final IF condition is the complement of the previous one.
> So an ELSE would do the job. But since the THEN clause never falls through,
> an ELSE isn't even needed.
>
> It isn't clear, but the the THEN case of the outer IF never falls through.
>
> I'll commit code that makes this clearer.
>
> Is this what is intended?
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list