diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 15:27:49 -0500 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 12:02:15 -0500 |
| commit | 5696701b2e19f4a198340ada5b4ba73fa5c6c9f9 (patch) | |
| tree | 93cc9ec4253fb4f506b392065fab2214e23b2e51 /sys/netipsec/xform_ipcomp.c | |
| parent | c10a06fdafd86efa4c2c4c262870f0d5276dd625 (diff) | |
| download | FreeBSD-src-5696701b2e19f4a198340ada5b4ba73fa5c6c9f9.zip FreeBSD-src-5696701b2e19f4a198340ada5b4ba73fa5c6c9f9.tar.gz | |
MFC r282046:
Fix possible use after free due to security policy deletion.
When we are passing mbuf to IPSec processing via ipsec[46]_process_packet(),
we hold one reference to security policy and release it just after return
from this function. But IPSec processing can be deffered and when we release
reference to security policy after ipsec[46]_process_packet(), user can
delete this security policy from SPDB. And when IPSec processing will be
done, xform's callback function will do access to already freed memory.
To fix this move KEY_FREESP() into callback function. Now IPSec code will
release reference to SP after processing will be finished.
Differential Revision: https://reviews.freebsd.org/D2324
No objections from: #network
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netipsec/xform_ipcomp.c')
| -rw-r--r-- | sys/netipsec/xform_ipcomp.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 1519f15..a5d1e57 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -492,6 +492,7 @@ ipcomp_output_cb(struct cryptop *crp) skip = tc->tc_skip; isr = tc->tc_isr; + IPSEC_ASSERT(isr->sp != NULL, ("NULL isr->sp")); IPSECREQUEST_LOCK(isr); sav = tc->tc_sav; /* With the isr lock released SA pointer can be updated. */ @@ -606,16 +607,18 @@ ipcomp_output_cb(struct cryptop *crp) error = ipsec_process_done(m, isr); KEY_FREESAV(&sav); IPSECREQUEST_UNLOCK(isr); - return error; + KEY_FREESP(&isr->sp); + return (error); bad: if (sav) KEY_FREESAV(&sav); IPSECREQUEST_UNLOCK(isr); + KEY_FREESP(&isr->sp); if (m) m_freem(m); free(tc, M_XDATA); crypto_freereq(crp); - return error; + return (error); } static struct xformsw ipcomp_xformsw = { |
