From nobody Mon Mar 04 00:28:15 2024
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tp00b5nXbz5Cd9v;
	Mon,  4 Mar 2024 00:28:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Tp00b3dGsz4gjb;
	Mon,  4 Mar 2024 00:28:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1709512095;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=h9w0YSJ0ZM+I49zQIjq9C+cvDTWdyHuLbhlEj3TluG4=;
	b=PcL5UF9B+Rmdqqx7kc0ySDXRVX70oifz6S322fj304hQ3O3U9337UCIBqOeIiL+ITXmjsy
	6ETadWbgn/nqqEA0g9XXVSukQjOZmjqzKf4GpG1+GHqE3ofnDWfO/11OAKr5sY7OCiOmUk
	PW0tpFgFmP30pgGQLOZXQV/Fg09/Vi7/bX0fP+yGz2RadPA30sIzyUCQD1W90mbb5s1Ujc
	5HEIWT1OqQqB0o/8L5HfJpfHNYK5ZnboQxkLwTZgPCt+QmJfTCqXEu1zU/LE/RiPSohYwk
	S8zYHKgR2yJBCH6T9a27XQZtCRPUzp6gQJPMlwb7yPeDWru/1GDKreWn3vU9Ug==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1709512095; a=rsa-sha256; cv=none;
	b=rl/8q35w7sSHDK+kvZLOMtYUALrltIuvWTcas0ivNUnS+p9c7VcIvm6uY+61HNh5kwHQ2Y
	lK9aGe+RTIBBd1Tj26UD2UnKoeLa57Ib+vYhGQB+coAc2utM5apIhefCGKzopUvTnDVRkN
	0paZ45SFxpoKkbxd+n7xxQsAImp2lATeG6QMmPY28oOlXfXPdHiu+CwxWA02YwINNUbMCo
	A27hvUhlhxQj11zHuM65uVl3qpFsIGU+ce5eFS/aD4E2s3cjDt3nE0jcCDs10dA3n8BQaW
	Uc2GV9SZkuorIlO9pqeq8ozLvgOslR1D0TStxS7suC3FoJ/Xg40zB7OC1mjNOQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1709512095;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=h9w0YSJ0ZM+I49zQIjq9C+cvDTWdyHuLbhlEj3TluG4=;
	b=mK3/g/60E3K0AZ6e3liLDb3ZCZThrrOtUENg7p+NlD7qUOGmnlOx0rIbyVnAM1t+eKdLb8
	rQMjEfvkfb0GjyMplDG+N7MSXuJ5QcSh7LR4NYVecXHJRPNZpDz1ubjy192MjMJC4zMQmQ
	5LWBBK0sJDmTvrLMsG/waBTyNL1t8gGt9s3ualHJZnFoCU7Eu9Ht0Qy3jELR/n3Hjes7Yo
	wWZpCw2PgqddzKI3CdnVQPRzNynaSFXCzOWuJ9kym5zzZAaPxN4XYZv/xdsHetinMGyrj6
	9hieX2UUnq0vT5ikWhFGMGiGED2Qje5jkFYbIOXVC4xXeGVGPN5UiNqk2AXW9Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Tp00b2ZxXz103Y;
	Mon,  4 Mar 2024 00:28:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 4240SFVM042898;
	Mon, 4 Mar 2024 00:28:15 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 4240SFjc042895;
	Mon, 4 Mar 2024 00:28:15 GMT
	(envelope-from git)
Date: Mon, 4 Mar 2024 00:28:15 GMT
Message-Id: <202403040028.4240SFjc042895@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Konstantin Belousov <kib@FreeBSD.org>
Subject: git: bf58a77ae125 - stable/13 - ipsec esp: avoid dereferencing
  freed secasindex
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kib
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: bf58a77ae125f4e5fd4a2c9bea42ee44340d3736
Auto-Submitted: auto-generated

The branch stable/13 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=bf58a77ae125f4e5fd4a2c9bea42ee44340d3736

commit bf58a77ae125f4e5fd4a2c9bea42ee44340d3736
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2024-02-25 10:30:48 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-03-04 00:27:56 +0000

    ipsec esp: avoid dereferencing freed secasindex
    
    (cherry picked from commit 1a56620b7958cac2b9048589cb730c46958ab539)
---
 sys/netipsec/xform_esp.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 37a5c5f4fd8b..a0efea0e5323 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -500,6 +500,13 @@ esp_input_cb(struct cryptop *crp)
 	xd = crp->crp_opaque;
 	CURVNET_SET(xd->vnet);
 	sav = xd->sav;
+	if (sav->state >= SADB_SASTATE_DEAD) {
+		/* saidx is freed */
+		DPRINTF(("%s: dead SA %p spi %#x\n", __func__, sav, sav->spi));
+		ESPSTAT_INC(esps_notdb);
+		error = ESRCH;
+		goto bad;
+	}
 	skip = xd->skip;
 	protoff = xd->protoff;
 	cryptoid = xd->cryptoid;