From owner-freebsd-bugs@FreeBSD.ORG Wed Feb 27 07:50:03 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05E341065675 for ; Wed, 27 Feb 2008 07:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D050013C458 for ; Wed, 27 Feb 2008 07:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1R7o2WH090427 for ; Wed, 27 Feb 2008 07:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1R7o2VO090426; Wed, 27 Feb 2008 07:50:02 GMT (envelope-from gnats) Resent-Date: Wed, 27 Feb 2008 07:50:02 GMT Resent-Message-Id: <200802270750.m1R7o2VO090426@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthew Grooms Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C00C1065672 for ; Wed, 27 Feb 2008 07:49:01 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from shrew.net (206-223-169-85.beanfield.net [206.223.169.85]) by mx1.freebsd.org (Postfix) with ESMTP id 3ED8F13C45B for ; Wed, 27 Feb 2008 07:49:01 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from localhost (wm-ca.hub.org [206.223.169.82]) by shrew.net (Postfix) with ESMTP id 93B2579E8C3; Wed, 27 Feb 2008 01:16:45 -0600 (CST) Received: from shrew.net ([206.223.169.85]) by localhost (mx1.hub.org [206.223.169.82]) (amavisd-new, port 10024) with ESMTP id 82191-04; Wed, 27 Feb 2008 07:16:44 +0000 (UTC) Received: from hole.shrew.net (cpe-66-25-136-5.austin.res.rr.com [66.25.136.5]) by shrew.net (Postfix) with ESMTP id CE49B79E8BE; Wed, 27 Feb 2008 01:16:43 -0600 (CST) Received: from hole.shrew.net (localhost.shrew.net [127.0.0.1]) by hole.shrew.net (8.13.8/8.13.8) with ESMTP id m1R7GOi9065276; Wed, 27 Feb 2008 01:16:25 -0600 (CST) (envelope-from mgrooms@hole.shrew.net) Received: (from mgrooms@localhost) by hole.shrew.net (8.13.8/8.13.8/Submit) id m1R7GN8L065275; Wed, 27 Feb 2008 01:16:23 -0600 (CST) (envelope-from mgrooms) Message-Id: <200802270716.m1R7GN8L065275@hole.shrew.net> Date: Wed, 27 Feb 2008 01:16:23 -0600 (CST) From: Matthew Grooms To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: bzeeb-lists@lists.zabbadoz.net Subject: kern/121140: FAST IPsec spd_delete2 bug ... X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthew Grooms List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 07:50:03 -0000 >Number: 121140 >Category: kern >Synopsis: FAST IPsec spd_delete2 bug ... >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 27 07:50:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Matthew Grooms >Release: FreeBSD 6.2-RELEASE i386 >Organization: Shrew Soft Inc >Environment: System: FreeBSD hole.shrew.net 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue May 15 17:47:14 UTC 2007 root@hole.shrew.net:/usr/obj/usr/src/sys/CUSTOM i386 I believe this effects all FreeBSD releases with FAST IPsec. >Description: There is a bug in /usr/src/sys/netipsec/key.c in FreeBSD FAST IPsec sources. If an spd_delete2 message is submitted for an invalid policy id, the kernel crashes. >How-To-Repeat: send an SADB_X_SPDDELETE2 message to PF_KEY with an invalid policy id. >Fix: Please apply this patch. --- spddelete.diff begins here --- --- key.c Fri Feb 15 02:18:16 2008 +++ key.c.fixed Fri Feb 15 02:18:35 2008 @@ -2125,7 +2125,7 @@ /* Is there SP in SPD ? */ if ((sp = key_getspbyid(id)) == NULL) { ipseclog((LOG_DEBUG, "%s: no SP found id:%u.\n", __func__, id)); - key_senderror(so, m, EINVAL); + return key_senderror(so, m, EINVAL); } sp->state = IPSEC_SPSTATE_DEAD; --- spddelete.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: