From owner-freebsd-current@FreeBSD.ORG Tue Jan 13 21:50:13 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72CD616A4CE; Tue, 13 Jan 2004 21:50:13 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A25E43D55; Tue, 13 Jan 2004 21:50:11 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 0A64E1FF91D; Wed, 14 Jan 2004 06:50:10 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id 57E661FF90C; Wed, 14 Jan 2004 06:50:08 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id E02BB155B5; Wed, 14 Jan 2004 05:48:39 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id D56C8155AE; Wed, 14 Jan 2004 05:48:39 +0000 (UTC) Date: Wed, 14 Jan 2004 05:48:39 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Jun-ichiro itojun Hagino In-Reply-To: <20040114003732.E0024A0@coconut.itojun.org> Message-ID: References: <20040113033124.7F7BDA6@coconut.itojun.org> <20040114003732.E0024A0@coconut.itojun.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: core@kame.net cc: current@freebsd.org cc: "Bjoern A. Zeeb" cc: ume@freebsd.org Subject: Re: [PATCH] IPSec fixes X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 05:50:13 -0000 On Wed, 14 Jan 2004, Jun-ichiro itojun Hagino wrote: > > > http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff > > dunno if it is correct or not. need more investigation. > > location of key_freesp() are wrong (you end up dereference freed > pointer on ipseclog() because you call key_freesp() beforehand). > other than that, those key_freesp() are needed. thanks. *argl* thanks for this. Must have messed this up while manually extracting the patch from a bigger one. From what I can see the changes have already been committed. I will correct my patch within the next hours for those people who fetch it for fixing their 5.2R. > as for key_sp_unlink(), i don't think the patch is correct. > even if you do not call key_sp_unlink() in key_spdflush(), spd entries > will get unlink'ed in key_timehandler(). therefore the end result > will be the same. No ! calling key_sp_unlink() from key_spdflush() will result in an _extra_ call of key_freesp() and thus refcnt will be decremented though it shouldn't. This will result in a refcnt being 0 too early and with valid pointers to that secpolicy and will further lead to "Memory accessed and/or modified after free" situations somewhen after the first and all successive flushes of the SPD. Each part of the code checks for the state == .._DEAD when getting an sp from sptree so the comment above key_spdflush() is correct. Only mark the sp as dead. Hope this explains the problem a bit better. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/