Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Jan 2004 05:48:39 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Jun-ichiro itojun Hagino <itojun@itojun.org>
Cc:        ume@freebsd.org
Subject:   Re: [PATCH] IPSec fixes
Message-ID:  <Pine.BSF.4.53.0401140532090.30149@e0-0.zab2.int.zabbadoz.net>
In-Reply-To: <20040114003732.E0024A0@coconut.itojun.org>
References:  <20040113033124.7F7BDA6@coconut.itojun.org> <20040114003732.E0024A0@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 14 Jan 2004, Jun-ichiro itojun Hagino wrote:

> > > http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff
> > 	dunno if it is correct or not.  need more investigation.
>
> 	location of key_freesp() are wrong (you end up dereference freed
> 	pointer on ipseclog() because you call key_freesp() beforehand).
> 	other than that, those key_freesp() are needed.  thanks.

*argl* thanks for this. Must have messed this up while manually
extracting the patch from a bigger one.
 From what I can see the changes have already been committed.
I will correct my patch within the next hours for those people who
fetch it for fixing their 5.2R.


> 	as for key_sp_unlink(), i don't think the patch is correct.
> 	even if you do not call key_sp_unlink() in key_spdflush(), spd entries
> 	will get unlink'ed in key_timehandler().  therefore the end result
> 	will be the same.

No ! calling key_sp_unlink() from key_spdflush() will result in an
_extra_ call of key_freesp() and thus refcnt will be decremented
though it shouldn't.
This will result in a refcnt being 0 too early and with valid
pointers to that secpolicy and will further lead to "Memory accessed
and/or modified after free" situations somewhen after the first and
all successive flushes of the SPD.
Each part of the code checks for the state == .._DEAD when getting an
sp from sptree so the comment above key_spdflush() is correct. Only
mark the sp as dead.

Hope this explains the problem a bit better.

-- 
Greetings

Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
56 69 73 69 74				http://www.zabbadoz.net/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.53.0401140532090.30149>