Take extra reference to security policy before calling crypto_dispatch().

Currently we perform crypto requests for IPSEC synchronous for most of crypto providers (software, aesni) and only VIA padlock calls crypto callback asynchronous. In synchronous mode it is possible, that security policy will be removed during the processing crypto request. And crypto callback will release the last reference to SP. Then upon return into ipsec[46]_process_packet() IPSECREQUEST_UNLOCK() will be called to already freed request. To prevent this we will take extra reference to SP. PR: 201876 Sponsored by: Yandex LLC
author: ae <ae@FreeBSD.org> 2015-09-30 08:16:33 +0000
committer: ae <ae@FreeBSD.org> 2015-09-30 08:16:33 +0000
commit: c3f8d46dc4768cc2260aab00c30a9820ff61ac6e (patch)
tree: 4ad4f6510e88f8efc5d959645df14e0a121c347a /sys/netinet6/ip6_ipsec.c
parent: a6fac84fcf38d1a17650296ab2f345d62e855db1 (diff)
download: FreeBSD-src-c3f8d46dc4768cc2260aab00c30a9820ff61ac6e.zip
FreeBSD-src-c3f8d46dc4768cc2260aab00c30a9820ff61ac6e.tar.gz
1 files changed, 1 insertions, 3 deletions
diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
index d7f08e9..a99f1db 100644
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@@ -200,9 +200,7 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *error)
 
 		/* NB: callee frees mbuf */
 		*error = ipsec6_process_packet(*m, sp->req);
-		/* Release SP if an error occured */
-		if (*error != 0)
-			KEY_FREESP(&sp);
+		KEY_FREESP(&sp);
 		if (*error == EJUSTRETURN) {
 			/*
 			 * We had a SP with a level of 'use' and no SA. We
author	ae <ae@FreeBSD.org>	2015-09-30 08:16:33 +0000
committer	ae <ae@FreeBSD.org>	2015-09-30 08:16:33 +0000
commit	c3f8d46dc4768cc2260aab00c30a9820ff61ac6e (patch)
tree	4ad4f6510e88f8efc5d959645df14e0a121c347a /sys/netinet6/ip6_ipsec.c
parent	a6fac84fcf38d1a17650296ab2f345d62e855db1 (diff)
download	FreeBSD-src-c3f8d46dc4768cc2260aab00c30a9820ff61ac6e.zip FreeBSD-src-c3f8d46dc4768cc2260aab00c30a9820ff61ac6e.tar.gz