Re: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0
- From: "Bjoern A. Zeeb" <bzeeb-lists@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 Apr 2008 07:38:51 +0000 (UTC)
On Tue, 8 Apr 2008, blue wrote:
Hi,
Dear all:
About the KEY_FREESAV() in key_checkrequest() in key.c:
line 806:
if (isr->sav != NULL) {
KEY_FREESAV(&isr->sav);
isr->sav = NULL;
}
The codes are only going to free the sav used LAST TIME. For outgoing SA entries, the reference count will be always 2, instead of 1 like incoming SA. I thought the proper place to call KEY_FREESAV() should be ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each transform's output function. Then the SA will be freed after its usage rather than being freed if there's next IPsec packet.
If the above condition is accpeted, then key_delsp() in key.c should not call KEY_FREESAV() in case SA reference count underflow!
Can you please file a PR for this as well?
Thanks
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- References:
- [ipsec] KEY_FREESAV() in FreeBSD-Release7.0
- From: blue
- [ipsec] KEY_FREESAV() in FreeBSD-Release7.0
- Prev by Date: [ipsec] bug report: possible memory overwrite for IPv6 IPsec
- Next by Date: Re: [ipsec] bug report: possible memory overwrite for IPv6 IPsec
- Previous by thread: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0
- Next by thread: [ipsec] bug report: possible memory overwrite for IPv6 IPsec
- Index(es):
Relevant Pages
|
