kern/44979: FAST_IPSEC kernel failed to increment SA-lifetime byte counter

[Wolfgang.Stukenbrock%nagler-company.com@localhost]

>Number:         44979
>Category:       kern
>Synopsis:       FAST_IPSEC kernel failed to increment SA-lifetime byte counter
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue May 17 15:20:01 +0000 2011
>Originator:     Dr. Wolfgang Stukenbrock
>Release:        NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
        
        
System: NetBSD test-s0 4.0 NetBSD 4.0 (NSW-WS) #0: Tue Aug 17 17:28:09 CEST 
2010 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
        For outgooing SA's the current lifetime byte counter is not incremented.
        This may expand the lifetime of an SA over it's suggested value and may
        compromise security
>How-To-Repeat:
        Setup a kernel with FAST_IPSEC, add an IPSEC-tunnel and watch the 
SA-status
        with 'setkey -D' while transfering some data through the tunnel.
        You will see an incrementing byte counter for the inbound SA, but the 
outbound SA
        stays at 0.
>Fix:
        Add a call to the "counter"-update function in ipsec output processing:
        The following patch for /usr/src/sys/netipsec/ipsec/output.c will solve 
the problem.

--- ipsec_output.c      2011/02/11 12:38:56     1.2
+++ ipsec_output.c      2011/05/17 15:08:53
@@ -186,6 +186,8 @@
        IPSEC_ASSERT(sav != NULL, ("ipsec_process_done: null SA"));
        IPSEC_ASSERT(sav->sah != NULL, ("ipsec_process_done: null SAH"));
 
+       key_sa_recordxfer(sav, m);
+
        saidx = &sav->sah->saidx;
 
 #ifdef IPSEC_NAT_T


>Unformatted: