kern/121140: FAST IPsec spd_delete2 bug ...
Matthew Grooms
mgrooms at shrew.net
Wed Feb 27 07:50:03 UTC 2008
>Number: 121140
>Category: kern
>Synopsis: FAST IPsec spd_delete2 bug ...
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Feb 27 07:50:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Matthew Grooms
>Release: FreeBSD 6.2-RELEASE i386
>Organization:
Shrew Soft Inc
>Environment:
System: FreeBSD hole.shrew.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue May 15 17:47:14 UTC 2007 root at hole.shrew.net:/usr/obj/usr/src/sys/CUSTOM i386
I believe this effects all FreeBSD releases with FAST IPsec.
>Description:
There is a bug in /usr/src/sys/netipsec/key.c in FreeBSD FAST IPsec sources. If an spd_delete2 message is submitted for an invalid policy id, the kernel crashes.
>How-To-Repeat:
send an SADB_X_SPDDELETE2 message to PF_KEY with an invalid policy id.
>Fix:
Please apply this patch.
--- spddelete.diff begins here ---
--- key.c Fri Feb 15 02:18:16 2008
+++ key.c.fixed Fri Feb 15 02:18:35 2008
@@ -2125,7 +2125,7 @@
/* Is there SP in SPD ? */
if ((sp = key_getspbyid(id)) == NULL) {
ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id));
- key_senderror(so, m, EINVAL);
+ return key_senderror(so, m, EINVAL);
}
sp->state = IPSEC_SPSTATE_DEAD;
--- spddelete.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list