kern/81804: [patch] Deleting non-existent security policy using SADB_X_SPDDELETE2 crashes FreeBSD 4.x

KAMADA Ken'ichi kamada at nanohz.org
Thu Jun 2 05:50:03 PDT 2005 

>Number:         81804
>Category:       kern
>Synopsis:       [patch] Deleting non-existent security policy using SADB_X_SPDDELETE2 crashes FreeBSD 4.x
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 02 12:50:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     KAMADA Ken'ichi <kamada at nanohz.org>
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
>Environment:
System: FreeBSD lethe.hongo.wide.ad.jp 4.11-STABLE FreeBSD 4.11-STABLE #15: Thu Jun 2 20:53:04 JST 2005 kamada at lethe.hongo.wide.ad.jp:/usr/obj/usr/src/sys/LETHE i386
with options IPSEC and IPSEC_ESP enabled.

>Description:
The 4.x kernel doesn't return correctly after the check of the existence
of IPsec policy in SADB_X_SPDDELETE2 via PF_KEYv2.
When I try to delete a non-exsitent policy, a NULL pointer is dereferenced
and the kernel crashes.

FreeBSD 5.x doesn't seem to have this problem.

>How-To-Repeat:

>Fix:

patch against FreeBSD: src/sys/netkey/key.c,v 1.16.2.15 2005/01/13 22:30:16 suz Exp

--- sys/netkey/key.c.orig	Fri Jan 14 07:30:16 2005
+++ sys/netkey/key.c	Thu Jun  2 20:09:00 2005
@@ -2092,8 +2092,7 @@
 	if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
 	    mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
 		ipseclog((LOG_DEBUG, "key_spddelete2: invalid message is passed.\n"));
-		key_senderror(so, m, EINVAL);
-		return 0;
+		return key_senderror(so, m, EINVAL);
 	}
 
 	id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
@@ -2101,7 +2100,7 @@
 	/* Is there SP in SPD ? */
 	if ((sp = key_getspbyid(id)) == NULL) {
 		ipseclog((LOG_DEBUG, "key_spddelete2: no SP found id:%u.\n", id));
-		key_senderror(so, m, EINVAL);
+		return key_senderror(so, m, EINVAL);
 	}
 
 	sp->state = IPSEC_SPSTATE_DEAD;


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list