git: 1a56620b7958 - main - ipsec esp: avoid dereferencing freed secasindex
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 26 Feb 2024 14:28:04 UTC
The branch main has been updated by kib:
URL: https://cgit.FreeBSD.org/src/commit/?id=1a56620b7958cac2b9048589cb730c46958ab539
commit 1a56620b7958cac2b9048589cb730c46958ab539
Author: Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-02-25 10:30:48 +0000
Commit: Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-02-26 14:27:46 +0000
ipsec esp: avoid dereferencing freed secasindex
It is possible that SA was removed while processing packed, in which
case it is changed to the DEAD state and it index is removed from the
tree. Dereferencing sav->sah then touches freed memory.
Reviewed by: ae
Sponsored by: NVIDIA networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D44079
---
sys/netipsec/xform_esp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 16f7b24375fa..7ad6085db87f 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -508,6 +508,13 @@ esp_input_cb(struct cryptop *crp)
xd = crp->crp_opaque;
CURVNET_SET(xd->vnet);
sav = xd->sav;
+ if (sav->state >= SADB_SASTATE_DEAD) {
+ /* saidx is freed */
+ DPRINTF(("%s: dead SA %p spi %#x\n", __func__, sav, sav->spi));
+ ESPSTAT_INC(esps_notdb);
+ error = ESRCH;
+ goto bad;
+ }
skip = xd->skip;
protoff = xd->protoff;
cryptoid = xd->cryptoid;