From owner-freebsd-bugs@FreeBSD.ORG Wed Apr 27 12:20:10 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 690581065674 for ; Wed, 27 Apr 2011 12:20:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 319088FC17 for ; Wed, 27 Apr 2011 12:20:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3RCK8Bq039306 for ; Wed, 27 Apr 2011 12:20:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3RCK8j3039305; Wed, 27 Apr 2011 12:20:08 GMT (envelope-from gnats) Resent-Date: Wed, 27 Apr 2011 12:20:08 GMT Resent-Message-Id: <201104271220.p3RCK8j3039305@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Tobias Brunner Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B49A7106564A for ; Wed, 27 Apr 2011 12:17:59 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id A11EC8FC0A for ; Wed, 27 Apr 2011 12:17:59 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p3RCHxD0084449 for ; Wed, 27 Apr 2011 12:17:59 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p3RCHxBH084448; Wed, 27 Apr 2011 12:17:59 GMT (envelope-from nobody) Message-Id: <201104271217.p3RCHxBH084448@red.freebsd.org> Date: Wed, 27 Apr 2011 12:17:59 GMT From: Tobias Brunner To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/156676: [ipsec][patch] reference to policy in key_spdget is not released X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2011 12:20:10 -0000 >Number: 156676 >Category: kern >Synopsis: [ipsec][patch] reference to policy in key_spdget is not released >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Apr 27 12:20:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Tobias Brunner >Release: 8.2-RELEASE >Organization: strongSwan Project >Environment: FreeBSD bsd.localdomain 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Tue Apr 26 17:58:34 CEST 2011 root@bsd.localdomain:/usr/obj/usr/src/sys/IPSEC i386 >Description: In key_spdget the reference to the requested policy that gets allocated in key_get_spdbyid is not released (e.g. with a call to KEY_FREESP). strongSwan, for example, uses SADB_X_SPDGET to query the last use time of a policy in order to check for idleness (and for status reports). By increasing the reference count with each request, the policies cannot be deleted with a single SPD_X_SPDDELETE anymore. >How-To-Repeat: >Fix: See attached patch... Patch attached with submission follows: --- sys/netipsec/key.orig.c 2011-04-27 13:39:43.000000000 +0200 +++ sys/netipsec/key.c 2011-04-27 14:14:24.000000000 +0200 @@ -2273,6 +2273,7 @@ u_int32_t id; struct secpolicy *sp; struct mbuf *n; + int error; IPSEC_ASSERT(so != NULL, ("null socket")); IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -2297,9 +2298,12 @@ n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid); if (n != NULL) { m_freem(m); - return key_sendup_mbuf(so, n, KEY_SENDUP_ONE); + error = key_sendup_mbuf(so, n, KEY_SENDUP_ONE); } else - return key_senderror(so, m, ENOBUFS); + error = key_senderror(so, m, ENOBUFS); + + KEY_FREESP(&sp); + return error; } /* >Release-Note: >Audit-Trail: >Unformatted: