Date: Tue, 8 Apr 2008 07:38:51 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: blue <susan.lan@zyxel.com.tw> Cc: freebsd-net@freebsd.org Subject: Re: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0 Message-ID: <20080408073822.Q66744@maildrop.int.zabbadoz.net> In-Reply-To: <47FAECE5.1070008@zyxel.com.tw> References: <47FAECE5.1070008@zyxel.com.tw>
index | next in thread | previous in thread | raw e-mail
On Tue, 8 Apr 2008, blue wrote:
Hi,
> Dear all:
>
> About the KEY_FREESAV() in key_checkrequest() in key.c:
>
> line 806:
> if (isr->sav != NULL) {
> KEY_FREESAV(&isr->sav);
> isr->sav = NULL;
> }
>
> The codes are only going to free the sav used LAST TIME. For outgoing SA
> entries, the reference count will be always 2, instead of 1 like incoming SA.
> I thought the proper place to call KEY_FREESAV() should be
> ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each
> transform's output function. Then the SA will be freed after its usage rather
> than being freed if there's next IPsec packet.
>
> If the above condition is accpeted, then key_delsp() in key.c should not call
> KEY_FREESAV() in case SA reference count underflow!
Can you please file a PR for this as well?
Thanks
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080408073822.Q66744>