svn commit: r310632 - projects/ipsec/sys/netipsec

Andrey V. Elsukov ae at FreeBSD.org
Tue Dec 27 11:31:19 UTC 2016 

Author: ae
Date: Tue Dec 27 11:31:17 2016
New Revision: 310632
URL: https://svnweb.freebsd.org/changeset/base/310632

Log:
  INPCB SP cache can hold cached pointer to default security policy.
  Bump SPDB generation id each time, when default security policy is
  initialized. This will prevent access to invalid cached pointers,
  when ipsec.ko module loaded/unloaded several times.

Modified:
  projects/ipsec/sys/netipsec/ipsec.c
  projects/ipsec/sys/netipsec/key.c
  projects/ipsec/sys/netipsec/key.h

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c	Tue Dec 27 10:26:58 2016	(r310631)
+++ projects/ipsec/sys/netipsec/ipsec.c	Tue Dec 27 11:31:17 2016	(r310632)
@@ -1381,6 +1381,9 @@ def_policy_init(const void *unused __unu
 	bzero(&V_def_policy, sizeof(struct secpolicy));
 	V_def_policy.policy = IPSEC_POLICY_NONE;
 	V_def_policy.refcnt = 1;
+
+	/* Force INPCB SP cache invalidation */
+	key_bumpspgen();
 }
 VNET_SYSINIT(def_policy_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST,
     def_policy_init, NULL);

Modified: projects/ipsec/sys/netipsec/key.c
==============================================================================
--- projects/ipsec/sys/netipsec/key.c	Tue Dec 27 10:26:58 2016	(r310631)
+++ projects/ipsec/sys/netipsec/key.c	Tue Dec 27 11:31:17 2016	(r310632)
@@ -747,6 +747,13 @@ key_getspgen(void)
 	return (V_sp_genid);
 }
 
+void
+key_bumpspgen(void)
+{
+
+	V_sp_genid++;
+}
+
 static int
 key_checksockaddrs(struct sockaddr *src, struct sockaddr *dst)
 {

Modified: projects/ipsec/sys/netipsec/key.h
==============================================================================
--- projects/ipsec/sys/netipsec/key.h	Tue Dec 27 10:26:58 2016	(r310631)
+++ projects/ipsec/sys/netipsec/key.h	Tue Dec 27 11:31:17 2016	(r310632)
@@ -53,6 +53,7 @@ void key_addref(struct secpolicy *);
 void key_freesp(struct secpolicy **);
 int key_spdacquire(struct secpolicy *);
 int key_havesp(u_int);
+void key_bumpspgen(void);
 uint32_t key_getspgen(void);
 uint32_t key_newreqid(void);

More information about the svn-src-projects mailing list