mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-27 08:00:11 +00:00
Code Issues Releases Activity

ipsec esp: avoid dereferencing freed secasindex

Browse Source 
It is possible that SA was removed while processing packed, in which
case it is changed to the DEAD state and it index is removed from the
tree. Dereferencing sav->sah then touches freed memory.

Reviewed by:	ae
Sponsored by:	NVIDIA networking
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D44079
This commit is contained in:
Konstantin Belousov 2024-02-25 12:30:48 +02:00
parent 1b3f4ccb7d
commit 1a56620b79
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/netipsec/xform_esp.c
View File

@ -508,6 +508,13 @@ esp_input_cb(struct cryptop *crp)
xd = crp->crp_opaque;
CURVNET_SET(xd->vnet);
sav = xd->sav;
if (sav->state >= SADB_SASTATE_DEAD) {
/* saidx is freed */
DPRINTF(("%s: dead SA %p spi %#x\n", __func__, sav, sav->spi));
ESPSTAT_INC(esps_notdb);
error = ESRCH;
goto bad;
}
skip = xd->skip;
protoff = xd->protoff;
cryptoid = xd->cryptoid;