kern/156676: [ipsec][patch] reference to policy in key_spdget is
not released
Tobias Brunner
tobias at strongswan.org
Wed Apr 27 12:20:10 UTC 2011
>Number: 156676
>Category: kern
>Synopsis: [ipsec][patch] reference to policy in key_spdget is not released
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 27 12:20:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Tobias Brunner
>Release: 8.2-RELEASE
>Organization:
strongSwan Project
>Environment:
FreeBSD bsd.localdomain 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Tue Apr 26 17:58:34 CEST 2011 root at bsd.localdomain:/usr/obj/usr/src/sys/IPSEC i386
>Description:
In key_spdget the reference to the requested policy that gets allocated in key_get_spdbyid is not released (e.g. with a call to KEY_FREESP).
strongSwan, for example, uses SADB_X_SPDGET to query the last use time of a policy in order to check for idleness (and for status reports). By increasing the reference count with each request, the policies cannot be deleted with a single SPD_X_SPDDELETE anymore.
>How-To-Repeat:
>Fix:
See attached patch...
Patch attached with submission follows:
--- sys/netipsec/key.orig.c 2011-04-27 13:39:43.000000000 +0200
+++ sys/netipsec/key.c 2011-04-27 14:14:24.000000000 +0200
@@ -2273,6 +2273,7 @@
u_int32_t id;
struct secpolicy *sp;
struct mbuf *n;
+ int error;
IPSEC_ASSERT(so != NULL, ("null socket"));
IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -2297,9 +2298,12 @@
n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid);
if (n != NULL) {
m_freem(m);
- return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
+ error = key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
} else
- return key_senderror(so, m, ENOBUFS);
+ error = key_senderror(so, m, ENOBUFS);
+
+ KEY_FREESP(&sp);
+ return error;
}
/*
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list