tech-net: Re: FAST_IPsec policy refcnt: "refcount" or "TTL", but not both

Subject: Re: FAST_IPsec policy refcnt: "refcount" or "TTL", but not both
To: Jonathan Stone <jonathan@dsg.stanford.edu>
From: Luke Mewburn <lukem@NetBSD.org>
List: tech-net
Date: 05/18/2004 10:31:50

--CrZascezwEk7xTxA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 17, 2004 at 02:58:40PM -0700, Jonathan Stone wrote:
  | I recently ran into a bug, in my own private tree, which looks like a
  | bug in the SPD refcount handling in FAST_IPSEC: specifically, an
  | incompatibility between the per-PCB SPD cache (which needs a real
  | refcnt) and the derived-from-older-KAME key.c:key_timehandler(), which
  | treats the refcnt field as a TTL.
  |=20
  | The symptoms in my own (mutant) tree are, broadly, that if one quickly
  | deletes and adds policy rules, then one quickly triggers panics where
  | SPD entry objects are double-freed, or are modified on the freelist.

I have seen similar issues on my IPsec enabled router, which
eventually resulted in a panic (which I couldn't capture the message of).

The messages I see in the syslog before the panic are of the form:
	Data modified on freelist: word 7 of object 0xc0a23080 size 128
		previous type bar (0xdeadbef0 !=3D 0xdeadbeef)
	Data modified on freelist: word 7 of object 0xc0a23080 size 92
		previous type bar (0xdeadbeed !=3D 0xdeadbeef)
(This is on NetBSD 1.6ZK from ~ March 12.)

I think my wife's WinXP box renegotiating IKE on a regular basis
(because she suspends it often) exarcerbates this problem.  I
wouldn't say solely responsible, because I have occasionally seen
these messages from before the time I migrated her laptop to using
IPsec and I only had my NetBSD 2.0C laptop using IKE to the router.

I have considered upgrading my router to 2.0E (and risking the
IPF 3.4 -> IPF 4.1 transition) to see if any recent changes in
our IPsec stack (since March) resolve the issue.


(Just a data point)

Cheers,
Luke.

--CrZascezwEk7xTxA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFAqVl2pBhtmn8zJHIRAkiwAKCjnCAHfySiRSQzs2KfF4OMceWLdQCfUpiF
WGJS+STTwAjlFFvDrsRKUY8=
=215M
-----END PGP SIGNATURE-----

--CrZascezwEk7xTxA--