>Number:         17203
>Category:       kern
>Synopsis:       playing with ipsec keys panics kernel
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 10 06:39:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Brett Lymn (Master of the Siren)
>Release:        NetBSD 1.5ZC checked out 29/3/2002
>Organization:
Brett Lymn
>Environment:
System: NetBSD siren 1.5ZC NetBSD 1.5ZC (SIREN) #2: Thu Jun 6 23:02:04 CST 2002 toor@siren:/usr/src/sys/arch/i386/compile/SIREN i386
Architecture: i386
Machine: i386
>Description:
	While loading and unloading ipsec keys of differing lengths I
was able to make the kernel panic with either an unaligned data access
or data modified on free list.  The panic did not always happen right 
away but after modifying the keys and displaying them with a setkey -D
the kernel would sometimes panic, sometimes it would take a little longer.

>How-To-Repeat:
	Fiddle with the keys and examine the DAD using setkey -D, the panic
seems more likely if you change the length of the key being loaded.

>Fix:
	No fix to suggest, I suspect that pointers to freed memory are being
kept and used in the ipsec kernel code.  If it helps, I have some kernel
core dumps.

>Release-Note:
>Audit-Trail:
>Unformatted: