Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Feb 2008 01:16:23 -0600 (CST)
From:      Matthew Grooms <mgrooms@shrew.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        bzeeb-lists@lists.zabbadoz.net
Subject:   kern/121140: FAST IPsec spd_delete2 bug ...
Message-ID:  <200802270716.m1R7GN8L065275@hole.shrew.net>
Resent-Message-ID: <200802270750.m1R7o2VO090426@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         121140
>Category:       kern
>Synopsis:       FAST IPsec spd_delete2 bug ...
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 27 07:50:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Matthew Grooms
>Release:        FreeBSD 6.2-RELEASE i386
>Organization:
Shrew Soft Inc
>Environment:
System: FreeBSD hole.shrew.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue May 15 17:47:14 UTC 2007 root@hole.shrew.net:/usr/obj/usr/src/sys/CUSTOM i386

I believe this effects all FreeBSD releases with FAST IPsec.

>Description:

There is a bug in /usr/src/sys/netipsec/key.c in FreeBSD FAST IPsec sources. If an spd_delete2 message is submitted for an invalid policy id, the kernel crashes.

>How-To-Repeat:

send an SADB_X_SPDDELETE2 message to PF_KEY with an invalid policy id.

>Fix:

Please apply this patch.

--- spddelete.diff begins here ---
--- key.c	Fri Feb 15 02:18:16 2008
+++ key.c.fixed	Fri Feb 15 02:18:35 2008
@@ -2125,7 +2125,7 @@
 	/* Is there SP in SPD ? */
 	if ((sp = key_getspbyid(id)) == NULL) {
 		ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id));
-		key_senderror(so, m, EINVAL);
+		return key_senderror(so, m, EINVAL);
 	}
 
 	sp->state = IPSEC_SPSTATE_DEAD;
--- spddelete.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802270716.m1R7GN8L065275>