Date: Thu, 02 Nov 2017 15:08:46 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 223382] PFKey SA Update Prevents UDP-Encap SA From Updated Correctly Message-ID: <bug-223382-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223382 Bug ID: 223382 Summary: PFKey SA Update Prevents UDP-Encap SA From Updated Correctly Product: Base System Version: 11.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: garrisoncreek@gmail.com When a UDP-encap SA is being updated with port change (e.g., MOBIKE update = SA), the updated SA is now an ESP SA. The bug is in the function key_updateaddresses. Instead of setting up the r= ight NAT info on the new updated SA, it does it on the old SA (which is about to= be freed). As a result, the updated SA has an empty NAT-T structure which means ESP. sys/netipsec/key.c newsav->natt =3D NULL; newsav->sah =3D sah; newsav->state =3D SADB_SASTATE_MATURE; error =3D key_setnatt(sav, mhp); if (error !=3D 0) goto fail; When this is patched to: error =3D key_setnatt(newsav, mhp); UDP-encap info (if any) is preserved. NOTE: There are other SA address updates, it may be that key_setnatt(sav, m= hp) makes sense for them. I have not tested all scenarios. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-223382-8>