On Wed, 14 Jan 2004, Jun-ichiro itojun Hagino wrote: > > > http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff > > dunno if it is correct or not. need more investigation. > > location of key_freesp() are wrong (you end up dereference freed > pointer on ipseclog() because you call key_freesp() beforehand). > other than that, those key_freesp() are needed. thanks. *argl* thanks for this. Must have messed this up while manually extracting the patch from a bigger one. From what I can see the changes have already been committed. I will correct my patch within the next hours for those people who fetch it for fixing their 5.2R. > as for key_sp_unlink(), i don't think the patch is correct. > even if you do not call key_sp_unlink() in key_spdflush(), spd entries > will get unlink'ed in key_timehandler(). therefore the end result > will be the same. No ! calling key_sp_unlink() from key_spdflush() will result in an _extra_ call of key_freesp() and thus refcnt will be decremented though it shouldn't. This will result in a refcnt being 0 too early and with valid pointers to that secpolicy and will further lead to "Memory accessed and/or modified after free" situations somewhen after the first and all successive flushes of the SPD. Each part of the code checks for the state == .._DEAD when getting an sp from sptree so the comment above key_spdflush() is correct. Only mark the sp as dead. Hope this explains the problem a bit better. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/Received on Tue Jan 13 2004 - 20:50:13 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:37 UTC