Date: Fri, 13 Aug 2021 07:36:40 GMT From: Wojciech Macek <wma@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: a16771de4c1e - main - ipsec: Return error code if no matching SA was found Message-ID: <202108130736.17D7aeX7079556@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by wma: URL: https://cgit.FreeBSD.org/src/commit/?id=a16771de4c1e01b52318edfab315d0ba2dce0c65 commit a16771de4c1e01b52318edfab315d0ba2dce0c65 Author: Kornel Duleba <mindal@semihalf.com> AuthorDate: 2021-08-13 07:35:08 +0000 Commit: Wojciech Macek <wma@FreeBSD.org> CommitDate: 2021-08-13 07:35:08 +0000 ipsec: Return error code if no matching SA was found If we matched SP to a packet, but no associated SA was found ipsec4_allocsa will return NULL while setting error=0. This resulted in use after free and potential kernel panic. Return EINPROGRESS if the case described above instead. Obtained from: Semihalf Sponsored by: Stormshield Differential revision: https://reviews.freebsd.org/D30994 --- sys/netipsec/ipsec_output.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index a817b67fd93e..2f8cc12c526b 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -322,6 +322,12 @@ setdf: sav = ipsec4_allocsa(m, sp, &idx, &error); if (sav == NULL) { key_freesp(&sp); + /* + * No matching SA was found and SADB_ACQUIRE message was generated. + * Since we have matched a SP to this packet drop it silently. + */ + if (error == 0) + error = EINPROGRESS; if (error != EJUSTRETURN) m_freem(m);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108130736.17D7aeX7079556>