ipsec: Return error code if no matching SA was found

If we matched SP to a packet, but no associated SA was found ipsec4_allocsa will return NULL while setting error=0. This resulted in use after free and potential kernel panic. Return EINPROGRESS if the case described above instead. Obtained from: Semihalf Sponsored by: Stormshield Differential revision: https://reviews.freebsd.org/D30994
2024-12-14 10:09:48 +00:00 · 2021-08-13 09:35:08 +02:00 · 2021-08-13 09:35:08 +02:00 · a16771de4c
commit a16771de4c
parent 6b66194bcb
1 changed files with 6 additions and 0 deletions
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@ -322,6 +322,12 @@ ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
 	sav = ipsec4_allocsa(m, sp, &idx, &error);
 	if (sav == NULL) {
 		key_freesp(&sp);
+		/*
+		 * No matching SA was found and SADB_ACQUIRE message was generated.
+		 * Since we have matched a SP to this packet drop it silently.
+		 */
+		if (error == 0)
+			error = EINPROGRESS;
 		if (error != EJUSTRETURN)
 			m_freem(m);