Date: Wed, 27 Feb 2008 01:16:23 -0600 (CST) From: Matthew Grooms <mgrooms@shrew.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: bzeeb-lists@lists.zabbadoz.net Subject: kern/121140: FAST IPsec spd_delete2 bug ... Message-ID: <200802270716.m1R7GN8L065275@hole.shrew.net> Resent-Message-ID: <200802270750.m1R7o2VO090426@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 121140
>Category: kern
>Synopsis: FAST IPsec spd_delete2 bug ...
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Feb 27 07:50:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Matthew Grooms
>Release: FreeBSD 6.2-RELEASE i386
>Organization:
Shrew Soft Inc
>Environment:
System: FreeBSD hole.shrew.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue May 15 17:47:14 UTC 2007 root@hole.shrew.net:/usr/obj/usr/src/sys/CUSTOM i386
I believe this effects all FreeBSD releases with FAST IPsec.
>Description:
There is a bug in /usr/src/sys/netipsec/key.c in FreeBSD FAST IPsec sources. If an spd_delete2 message is submitted for an invalid policy id, the kernel crashes.
>How-To-Repeat:
send an SADB_X_SPDDELETE2 message to PF_KEY with an invalid policy id.
>Fix:
Please apply this patch.
--- spddelete.diff begins here ---
--- key.c Fri Feb 15 02:18:16 2008
+++ key.c.fixed Fri Feb 15 02:18:35 2008
@@ -2125,7 +2125,7 @@
/* Is there SP in SPD ? */
if ((sp = key_getspbyid(id)) == NULL) {
ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id));
- key_senderror(so, m, EINVAL);
+ return key_senderror(so, m, EINVAL);
}
sp->state = IPSEC_SPSTATE_DEAD;
--- spddelete.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802270716.m1R7GN8L065275>