kern/81804: [patch] Deleting non-existent security policy using
SADB_X_SPDDELETE2 crashes FreeBSD 4.x
KAMADA Ken'ichi
kamada at nanohz.org
Thu Jun 2 05:50:03 PDT 2005
>Number: 81804
>Category: kern
>Synopsis: [patch] Deleting non-existent security policy using SADB_X_SPDDELETE2 crashes FreeBSD 4.x
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 02 12:50:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: KAMADA Ken'ichi <kamada at nanohz.org>
>Release: FreeBSD 4.11-STABLE i386
>Organization:
>Environment:
System: FreeBSD lethe.hongo.wide.ad.jp 4.11-STABLE FreeBSD 4.11-STABLE #15: Thu Jun 2 20:53:04 JST 2005 kamada at lethe.hongo.wide.ad.jp:/usr/obj/usr/src/sys/LETHE i386
with options IPSEC and IPSEC_ESP enabled.
>Description:
The 4.x kernel doesn't return correctly after the check of the existence
of IPsec policy in SADB_X_SPDDELETE2 via PF_KEYv2.
When I try to delete a non-exsitent policy, a NULL pointer is dereferenced
and the kernel crashes.
FreeBSD 5.x doesn't seem to have this problem.
>How-To-Repeat:
>Fix:
patch against FreeBSD: src/sys/netkey/key.c,v 1.16.2.15 2005/01/13 22:30:16 suz Exp
--- sys/netkey/key.c.orig Fri Jan 14 07:30:16 2005
+++ sys/netkey/key.c Thu Jun 2 20:09:00 2005
@@ -2092,8 +2092,7 @@
if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
ipseclog((LOG_DEBUG, "key_spddelete2: invalid message is passed.\n"));
- key_senderror(so, m, EINVAL);
- return 0;
+ return key_senderror(so, m, EINVAL);
}
id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
@@ -2101,7 +2100,7 @@
/* Is there SP in SPD ? */
if ((sp = key_getspbyid(id)) == NULL) {
ipseclog((LOG_DEBUG, "key_spddelete2: no SP found id:%u.\n", id));
- key_senderror(so, m, EINVAL);
+ return key_senderror(so, m, EINVAL);
}
sp->state = IPSEC_SPSTATE_DEAD;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list