git: a16771de4c1e - main - ipsec: Return error code if no matching SA was found
Wojciech Macek
wma at FreeBSD.org
Fri Aug 13 07:36:41 UTC 2021
The branch main has been updated by wma:
URL: https://cgit.FreeBSD.org/src/commit/?id=a16771de4c1e01b52318edfab315d0ba2dce0c65
commit a16771de4c1e01b52318edfab315d0ba2dce0c65
Author: Kornel Duleba <mindal at semihalf.com>
AuthorDate: 2021-08-13 07:35:08 +0000
Commit: Wojciech Macek <wma at FreeBSD.org>
CommitDate: 2021-08-13 07:35:08 +0000
ipsec: Return error code if no matching SA was found
If we matched SP to a packet, but no associated SA was found
ipsec4_allocsa will return NULL while setting error=0.
This resulted in use after free and potential kernel panic.
Return EINPROGRESS if the case described above instead.
Obtained from: Semihalf
Sponsored by: Stormshield
Differential revision: https://reviews.freebsd.org/D30994
---
sys/netipsec/ipsec_output.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index a817b67fd93e..2f8cc12c526b 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -322,6 +322,12 @@ setdf:
sav = ipsec4_allocsa(m, sp, &idx, &error);
if (sav == NULL) {
key_freesp(&sp);
+ /*
+ * No matching SA was found and SADB_ACQUIRE message was generated.
+ * Since we have matched a SP to this packet drop it silently.
+ */
+ if (error == 0)
+ error = EINPROGRESS;
if (error != EJUSTRETURN)
m_freem(m);
More information about the dev-commits-src-all
mailing list