From owner-freebsd-bugs@FreeBSD.ORG Tue Apr 8 11:20:01 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 158B9106566B for ; Tue, 8 Apr 2008 11:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E63D98FC22 for ; Tue, 8 Apr 2008 11:20:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m38BK0sa091899 for ; Tue, 8 Apr 2008 11:20:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m38BK0Lr091898; Tue, 8 Apr 2008 11:20:00 GMT (envelope-from gnats) Resent-Date: Tue, 8 Apr 2008 11:20:00 GMT Resent-Message-Id: <200804081120.m38BK0Lr091898@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, susan.lan@zyxel.com.tw Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29C7B106566C for ; Tue, 8 Apr 2008 11:11:23 +0000 (UTC) (envelope-from atc@death.ath.cx) Received: from death.ath.cx (unknown [IPv6:2001:b121:4::213]) by mx1.freebsd.org (Postfix) with ESMTP id 8682C8FC18 for ; Tue, 8 Apr 2008 11:11:22 +0000 (UTC) (envelope-from atc@death.ath.cx) Received: from death.ath.cx (localhost [127.0.0.1]) by death.ath.cx (8.13.8/8.13.8) with ESMTP id m38BBEib091586 for ; Tue, 8 Apr 2008 19:11:19 +0800 (CST) (envelope-from atc@death.ath.cx) Received: (from root@localhost) by death.ath.cx (8.13.8/8.13.8/Submit) id m38BBErS091585; Tue, 8 Apr 2008 19:11:14 +0800 (CST) (envelope-from atc) Message-Id: <200804081111.m38BBErS091585@death.ath.cx> Date: Tue, 8 Apr 2008 19:11:14 +0800 (CST) From: susan.lan@zyxel.com.tw To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/122563: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: susan.lan@zyxel.com.tw List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 11:20:01 -0000 >Number: 122563 >Category: kern >Synopsis: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0 >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 08 11:20:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Yi-Wen Lan >Release: FreeBSD 7.0-STABLE i386 >Organization: >Environment: System: 2 i386 PCs with FreeBSD7.0-Release >Description: About the KEY_FREESAV() in key_checkrequest() in key.c: line 806: if (isr->sav != NULL) { KEY_FREESAV(&isr->sav); isr->sav = NULL; } The codes are only going to free the sav used LAST TIME. For outgoing SA entries, the reference count will be always 2, instead of 1 like incoming SA. I thought the proper place to call KEY_FREESAV() should be ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each transform's output function. Then the SA will be freed after its usage rather than being freed if there's next IPsec packet. If the above condition is accpeted, then key_delsp() in key.c should not call KEY_FREESAV() in case SA reference count underflow! >How-To-Repeat: Create IPsec tunnel between the 2 PCs; for the outgoing SA, the reference count will always be 2, instead of 1. >Fix: I have solution in description already. >Release-Note: >Audit-Trail: >Unformatted: