Date: Tue, 8 Apr 2008 07:38:51 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: blue <susan.lan@zyxel.com.tw> Cc: freebsd-net@freebsd.org Subject: Re: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0 Message-ID: <20080408073822.Q66744@maildrop.int.zabbadoz.net> In-Reply-To: <47FAECE5.1070008@zyxel.com.tw> References: <47FAECE5.1070008@zyxel.com.tw>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 8 Apr 2008, blue wrote:
Hi,
> Dear all:
>
> About the KEY_FREESAV() in key_checkrequest() in key.c:
>
> line 806:
> if (isr->sav != NULL) {
> KEY_FREESAV(&isr->sav);
> isr->sav = NULL;
> }
>
> The codes are only going to free the sav used LAST TIME. For outgoing SA
> entries, the reference count will be always 2, instead of 1 like incoming SA.
> I thought the proper place to call KEY_FREESAV() should be
> ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each
> transform's output function. Then the SA will be freed after its usage rather
> than being freed if there's next IPsec packet.
>
> If the above condition is accpeted, then key_delsp() in key.c should not call
> KEY_FREESAV() in case SA reference count underflow!
Can you please file a PR for this as well?
Thanks
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080408073822.Q66744>