Date: Wed, 27 Feb 2008 01:16:23 -0600 (CST) From: Matthew Grooms <mgrooms@shrew.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: bzeeb-lists@lists.zabbadoz.net Subject: kern/121140: FAST IPsec spd_delete2 bug ... Message-ID: <200802270716.m1R7GN8L065275@hole.shrew.net> Resent-Message-ID: <200802270750.m1R7o2VO090426@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 121140 >Category: kern >Synopsis: FAST IPsec spd_delete2 bug ... >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 27 07:50:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Matthew Grooms >Release: FreeBSD 6.2-RELEASE i386 >Organization: Shrew Soft Inc >Environment: System: FreeBSD hole.shrew.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue May 15 17:47:14 UTC 2007 root@hole.shrew.net:/usr/obj/usr/src/sys/CUSTOM i386 I believe this effects all FreeBSD releases with FAST IPsec. >Description: There is a bug in /usr/src/sys/netipsec/key.c in FreeBSD FAST IPsec sources. If an spd_delete2 message is submitted for an invalid policy id, the kernel crashes. >How-To-Repeat: send an SADB_X_SPDDELETE2 message to PF_KEY with an invalid policy id. >Fix: Please apply this patch. --- spddelete.diff begins here --- --- key.c Fri Feb 15 02:18:16 2008 +++ key.c.fixed Fri Feb 15 02:18:35 2008 @@ -2125,7 +2125,7 @@ /* Is there SP in SPD ? */ if ((sp = key_getspbyid(id)) == NULL) { ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id)); - key_senderror(so, m, EINVAL); + return key_senderror(so, m, EINVAL); } sp->state = IPSEC_SPSTATE_DEAD; --- spddelete.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802270716.m1R7GN8L065275>