From owner-freebsd-net@FreeBSD.ORG  Tue Apr  8 03:56:44 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C5739106566C
	for <freebsd-net@freebsd.org>; Tue,  8 Apr 2008 03:56:44 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66])
	by mx1.freebsd.org (Postfix) with ESMTP id 678C08FC19
	for <freebsd-net@freebsd.org>; Tue,  8 Apr 2008 03:56:44 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from ZyTWBE03.ZyXEL.com ([172.23.5.49]) by zyfb01-66.zyxel.com.tw
	with Microsoft SMTPSVC(6.0.3790.1830); 
	Tue, 8 Apr 2008 11:56:42 +0800
Received: from zytwfe01.zyxel.com ([172.23.5.5]) by ZyTWBE03.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 11:56:42 +0800
Received: from [172.23.18.25] ([172.23.18.25]) by zytwfe01.zyxel.com with
	Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 11:56:42 +0800
Message-ID: <47FAECE5.1070008@zyxel.com.tw>
Date: Tue, 08 Apr 2008 11:56:21 +0800
From: blue <susan.lan@zyxel.com.tw>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 08 Apr 2008 03:56:42.0158 (UTC)
	FILETIME=[8E1794E0:01C8992C]
Subject: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2008 03:56:44 -0000

Dear all:

About the KEY_FREESAV() in key_checkrequest() in key.c:

line 806:
    if (isr->sav != NULL) {
       KEY_FREESAV(&isr->sav);
       isr->sav = NULL;
    }

The codes are only going to free the sav used LAST TIME. For outgoing SA 
entries, the reference count will be always 2, instead of 1 like 
incoming SA. I thought the proper place to call KEY_FREESAV() should be 
ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each 
transform's output function. Then the SA will be freed after its usage 
rather than being freed if there's next IPsec packet.

If the above condition is accpeted, then key_delsp() in key.c should not 
call KEY_FREESAV() in case SA reference count underflow!

BR,
blue