[PATCH] IPSec fixes
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Jan 13 21:50:13 PST 2004
On Wed, 14 Jan 2004, Jun-ichiro itojun Hagino wrote:
> > > http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff
> > dunno if it is correct or not. need more investigation.
> location of key_freesp() are wrong (you end up dereference freed
> pointer on ipseclog() because you call key_freesp() beforehand).
> other than that, those key_freesp() are needed. thanks.
*argl* thanks for this. Must have messed this up while manually
extracting the patch from a bigger one.
From what I can see the changes have already been committed.
I will correct my patch within the next hours for those people who
fetch it for fixing their 5.2R.
> as for key_sp_unlink(), i don't think the patch is correct.
> even if you do not call key_sp_unlink() in key_spdflush(), spd entries
> will get unlink'ed in key_timehandler(). therefore the end result
> will be the same.
No ! calling key_sp_unlink() from key_spdflush() will result in an
_extra_ call of key_freesp() and thus refcnt will be decremented
though it shouldn't.
This will result in a refcnt being 0 too early and with valid
pointers to that secpolicy and will further lead to "Memory accessed
and/or modified after free" situations somewhen after the first and
all successive flushes of the SPD.
Each part of the code checks for the state == .._DEAD when getting an
sp from sptree so the comment above key_spdflush() is correct. Only
mark the sp as dead.
Hope this explains the problem a bit better.
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
56 69 73 69 74 http://www.zabbadoz.net/
More information about the freebsd-current