kern/53708: ipsec: a lingering sah (struct secashead) may force a wrong mode to newly added SAs

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/53708: ipsec: a lingering sah (struct secashead) may force a wrong mode to newly added SAs
From: ozaki-r%iij.ad.jp@localhost
Date: Wed, 7 Nov 2018 09:35:00 +0000 (UTC)

>Number:         53708
>Category:       kern
>Synopsis:       ipsec: a lingering sah (struct secashead) may force a wrong mode to newly added SAs
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 07 09:35:00 +0000 2018
>Originator:     Ryota Ozaki
>Release:        -current
>Organization:
IIJ
>Environment:
NetBSD kvm 8.99.25 NetBSD 8.99.25 (KVM) #1569: Tue Nov  6 13:24:47 JST 2018
>Description:
In the kernel, an SA represents as struct secashead (sah) and struct secasvar (sav).
When you create an SA, one sah and one sav are created.  If you delete the SA,
the sav is deleted immediately, however, sah remains for some reasons. After that,
if you create another SA with the same parameters (src/dst) but with a different
mode, then the remaining sah is reused as is wrongly and you'll get a new SA
with the old mode unexpectedly (see below).

The unexpected behavior occurs on add, update and getspi APIs.
>How-To-Repeat:
## start of script
src=10.0.0.1
dst=10.0.0.2
spi=1000

setkey -c <<-EOF
add    $src $dst esp $spi -m transport -E null;
delete $src $dst esp $spi;
add    $src $dst esp $spi -m tunnel -E null;
dump;
flush;
EOF
## end of script

A result looks like this (see "mode=transport").

10.0.0.1 10.0.0.2 
        esp mode=transport spi=1000(0x000003e8) reqid=0(0x00000000)
        E: null 
        seq=0x00000000 replay=0 flags=0x00000040 state=mature 
        created: Nov  7 18:05:41 2018   current: Nov  7 18:05:41 2018
        diff: 0(s)      hard: 0(s)      soft: 0(s)
        last: Nov  6 13:29:06 2018      hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=3260 refcnt=0

>Fix:
Remove an sah immediately when belonging savs disappear and/or
when adding a new SA while there is an SA with a different mode,
remove the old SA or return an error.

Or treat SAs with different modes as different SAs on add/update/getspi.
(I'm not sure if the change is acceptable...)

Prev by Date: PR/53314 CVS commit: [netbsd-8] src/external/gpl2/groff/dist
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: PR/53314 CVS commit: [netbsd-8] src/external/gpl2/groff/dist
Next by Thread: bin/53709: cannot build evbmips64-eb tools with gcc using clang as host compiler
Indexes:

Home | Main Index | Thread Index | Old Index