kern/122563: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0

susan.lan at zyxel.com.tw susan.lan at zyxel.com.tw
Tue Apr 8 11:20:01 UTC 2008


>Number:         122563
>Category:       kern
>Synopsis:       [ipsec] KEY_FREESAV() in FreeBSD-Release7.0
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 08 11:20:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Yi-Wen Lan
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
System: 2 i386 PCs with FreeBSD7.0-Release 

>Description:
	About the KEY_FREESAV() in key_checkrequest() in key.c:

line 806:
   if (isr->sav != NULL) {
      KEY_FREESAV(&isr->sav);
      isr->sav = NULL;
   }

The codes are only going to free the sav used LAST TIME. For outgoing SA entries, the reference count will be always 2, instead of 1 like incoming SA. I thought the proper place to call KEY_FREESAV() should be ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each transform's output function. Then the SA will be freed after its usage rather than being freed if there's next IPsec packet.

If the above condition is accpeted, then key_delsp() in key.c should not call KEY_FREESAV() in case SA reference count underflow!


>How-To-Repeat:
	Create IPsec tunnel between the 2 PCs; for the outgoing SA, the reference count will always be 2, instead of 1.

>Fix:
	I have solution in description already. 


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list