diff --git a/sys/net/if_ipsec.c b/sys/net/if_ipsec.c --- a/sys/net/if_ipsec.c +++ b/sys/net/if_ipsec.c @@ -666,6 +666,10 @@ break; } saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); + if (saidx == NULL) { + error = EHOSTUNREACH; + break; + } switch (cmd) { #ifdef INET case SIOCGIFPSRCADDR: @@ -783,6 +787,8 @@ int localip; saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); + if (saidx == NULL) + return; localip = 0; switch (sc->family) { #ifdef INET @@ -813,13 +819,17 @@ { struct ipsec_softc *sc; struct secasindex *saidx; + struct ipsec_iflist *h; /* Check that VNET is ready */ if (V_ipsec_idhtbl == NULL) return; NET_EPOCH_ASSERT(); - CK_LIST_FOREACH(sc, ipsec_srchash(sa), srchash) { + h = ipsec_srchash(sa); + if (h == NULL) + return; + CK_LIST_FOREACH(sc, h, srchash) { if (sc->family == 0) continue; saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family); @@ -1017,12 +1027,18 @@ struct sockaddr *dst, uint32_t reqid) { struct epoch_tracker et; + struct ipsec_iflist *h; struct secpolicy *sp[IPSEC_SPCOUNT]; int i; sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); /* Allocate SP with new addresses. */ + h = ipsec_srchash(src); + if (h == NULL) { + sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; + return (EAFNOSUPPORT); + } if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) { /* Add new policies to SPDB */ if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { @@ -1035,7 +1051,7 @@ for (i = 0; i < IPSEC_SPCOUNT; i++) sc->sp[i] = sp[i]; sc->family = src->sa_family; - CK_LIST_INSERT_HEAD(ipsec_srchash(src), sc, srchash); + CK_LIST_INSERT_HEAD(h, sc, srchash); } else { sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; return (ENOMEM);