kern/41701: sys/ipsec/ipsec.c missing splx() call

[Matthew Mondor <mm_lists%pulsar-zone.net@localhost>]

>Number:         41701
>Category:       kern
>Synopsis:       sys/ipsec/ipsec.c missing splx() call
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 12 03:30:01 +0000 2009
>Originator:     Matthew Mondor
>Release:        NetBSD 5.0_STABLE
>Organization:
>Environment:
System: NetBSD ginseng.xisop 5.0_STABLE NetBSD 5.0_STABLE (GENERIC_MM) #1: Thu 
Jul 9 01:57:16 EDT 2009 
root%behemoth.xisop@localhost:/usr/obj/sys/arch/i386/compile/GENERIC_MM i386
Architecture: i386
Machine: i386
>Description:
        There recently was a pulled-up and closed PR about a similar
        issue in the ipv4 stack (kern/41659).  I thought I'd check
        the ipv6 stack for a similar problem considering the
        heritage.  ip6_output.c seemed fine but delegated to
        netipsec/ipsec.c:ipsec6_check_policy() which had the same
        problem.
>How-To-Repeat:
>Fix:

--- ./sys/netipsec/ipsec.c.orig 2008-12-31 07:43:14.000000000 -0500
+++ ./sys/netipsec/ipsec.c      2009-07-11 23:20:10.000000000 -0400
@@ -2197,8 +2197,10 @@ ipsec6_check_policy(struct mbuf * m, con
        if (!ipsec_outdone(m)) {
                s = splsoftnet();
                if (in6p != NULL &&
-                               IPSEC_PCB_SKIP_IPSEC(in6p->in6p_sp, 
IPSEC_DIR_OUTBOUND))
+                   IPSEC_PCB_SKIP_IPSEC(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) {
+                       splx(s);
                        goto skippolicycheck;
+               }
                sp = ipsec6_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, 
&error,in6p);
 
                /*