Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Apr 2011 12:17:59 GMT
From:      Tobias Brunner <tobias@strongswan.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/156676: [ipsec][patch] reference to policy in key_spdget is not released
Message-ID:  <201104271217.p3RCHxBH084448@red.freebsd.org>
Resent-Message-ID: <201104271220.p3RCK8j3039305@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         156676
>Category:       kern
>Synopsis:       [ipsec][patch] reference to policy in key_spdget is not released
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 27 12:20:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Tobias Brunner
>Release:        8.2-RELEASE
>Organization:
strongSwan Project
>Environment:
FreeBSD bsd.localdomain 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Tue Apr 26 17:58:34 CEST 2011     root@bsd.localdomain:/usr/obj/usr/src/sys/IPSEC  i386
>Description:
In key_spdget the reference to the requested policy that gets allocated in key_get_spdbyid is not released (e.g. with a call to KEY_FREESP).

strongSwan, for example, uses SADB_X_SPDGET to query the last use time of a policy in order to check for idleness (and for status reports).  By increasing the reference count with each request, the policies cannot be deleted with a single SPD_X_SPDDELETE anymore.
>How-To-Repeat:

>Fix:
See attached patch...

Patch attached with submission follows:

--- sys/netipsec/key.orig.c	2011-04-27 13:39:43.000000000 +0200
+++ sys/netipsec/key.c	2011-04-27 14:14:24.000000000 +0200
@@ -2273,6 +2273,7 @@
 	u_int32_t id;
 	struct secpolicy *sp;
 	struct mbuf *n;
+	int error;
 
 	IPSEC_ASSERT(so != NULL, ("null socket"));
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -2297,9 +2298,12 @@
 	n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid);
 	if (n != NULL) {
 		m_freem(m);
-		return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
+		error = key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 	} else
-		return key_senderror(so, m, ENOBUFS);
+		error = key_senderror(so, m, ENOBUFS);
+
+	KEY_FREESP(&sp);
+	return error;
 }
 
 /*


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201104271217.p3RCHxBH084448>