kern/156676: [ipsec][patch] reference to policy in key_spdget is not released

Tobias Brunner tobias at
Wed Apr 27 12:20:10 UTC 2011

>Number:         156676
>Category:       kern
>Synopsis:       [ipsec][patch] reference to policy in key_spdget is not released
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 27 12:20:07 UTC 2011
>Originator:     Tobias Brunner
>Release:        8.2-RELEASE
strongSwan Project
FreeBSD bsd.localdomain 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Tue Apr 26 17:58:34 CEST 2011     root at bsd.localdomain:/usr/obj/usr/src/sys/IPSEC  i386
In key_spdget the reference to the requested policy that gets allocated in key_get_spdbyid is not released (e.g. with a call to KEY_FREESP).

strongSwan, for example, uses SADB_X_SPDGET to query the last use time of a policy in order to check for idleness (and for status reports).  By increasing the reference count with each request, the policies cannot be deleted with a single SPD_X_SPDDELETE anymore.

See attached patch...

Patch attached with submission follows:

--- sys/netipsec/key.orig.c	2011-04-27 13:39:43.000000000 +0200
+++ sys/netipsec/key.c	2011-04-27 14:14:24.000000000 +0200
@@ -2273,6 +2273,7 @@
 	u_int32_t id;
 	struct secpolicy *sp;
 	struct mbuf *n;
+	int error;
 	IPSEC_ASSERT(so != NULL, ("null socket"));
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -2297,9 +2298,12 @@
 	n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid);
 	if (n != NULL) {
-		return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
+		error = key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 	} else
-		return key_senderror(so, m, ENOBUFS);
+		error = key_senderror(so, m, ENOBUFS);
+	KEY_FREESP(&sp);
+	return error;


More information about the freebsd-bugs mailing list