Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Apr 2017 00:34:05 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r317431 - head/sys/netipsec
Message-ID:  <201704260034.v3Q0Y5uw065376@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ae
Date: Wed Apr 26 00:34:05 2017
New Revision: 317431
URL: https://svnweb.freebsd.org/changeset/base/317431

Log:
  Fix SP refcount leak.
  
  PCB SP cache acquires extra reference, when SP is stored in the cache.
  Release this reference when PCB is destroyed in ipsec_delete_pcbpolicy().
  In ipsec_copy_pcbpolicy() release reference to SP in case if sp_in or
  sp_out are not NULL.
  
  Reported by:	Slawa Olhovchenkov <slw at zxy spb ru>
  MFC after:	1 week

Modified:
  head/sys/netipsec/ipsec_pcb.c

Modified: head/sys/netipsec/ipsec_pcb.c
==============================================================================
--- head/sys/netipsec/ipsec_pcb.c	Wed Apr 26 00:07:51 2017	(r317430)
+++ head/sys/netipsec/ipsec_pcb.c	Wed Apr 26 00:34:05 2017	(r317431)
@@ -172,10 +172,10 @@ ipsec_delete_pcbpolicy(struct inpcb *inp
 	if (inp->inp_sp == NULL)
 		return (0);
 
-	if (inp->inp_sp->flags & INP_INBOUND_POLICY)
+	if (inp->inp_sp->sp_in != NULL)
 		key_freesp(&inp->inp_sp->sp_in);
 
-	if (inp->inp_sp->flags & INP_OUTBOUND_POLICY)
+	if (inp->inp_sp->sp_out != NULL)
 		key_freesp(&inp->inp_sp->sp_out);
 
 	free(inp->inp_sp, M_IPSEC_INPCB);
@@ -250,6 +250,8 @@ ipsec_copy_pcbpolicy(struct inpcb *old, 
 		if (sp == NULL)
 			return (ENOBUFS);
 		ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_INBOUND);
+		if (new->inp_sp->sp_in != NULL)
+			key_freesp(&new->inp_sp->sp_in);
 		new->inp_sp->sp_in = sp;
 		new->inp_sp->flags |= INP_INBOUND_POLICY;
 	}
@@ -258,6 +260,8 @@ ipsec_copy_pcbpolicy(struct inpcb *old, 
 		if (sp == NULL)
 			return (ENOBUFS);
 		ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_OUTBOUND);
+		if (new->inp_sp->sp_out != NULL)
+			key_freesp(&new->inp_sp->sp_out);
 		new->inp_sp->sp_out = sp;
 		new->inp_sp->flags |= INP_OUTBOUND_POLICY;
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704260034.v3Q0Y5uw065376>