NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/44948: memory whole in netipsec/key.c - may loose mbuf's



>Number:         44948
>Category:       kern
>Synopsis:       memory whole in netipsec/key.c - may loose mbuf's
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue May 10 10:20:00 +0000 2011
>Originator:     Dr. Wolfgang Stukenbrock
>Release:        NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
        
        
System: NetBSD e010 5.1 NetBSD 5.1 (NSW-svc-ISDN) #2: Thu May  5 13:12:45 CEST 
2011  
wgstuken@s012:/export/NetBSD-5.1/N+C-build/.OBJDIR_i386/export/NetBSD-5.1/src/sys/arch/i386/compile/NSW-svc-ISDN
 i386
Architecture: x86_64
Machine: amd64
>Description:
        In /usr/src/sys/netipsec/key.c in key_do_allocsa_policy() under some 
circumstances
        a SADB_DELETE message is generated.
        If the systems runs out of mbufs (or have other problems) while dooing 
this, some
        already allocated mbufs are not freed again. -> memory whole
>How-To-Repeat:
        not relevant - found by a look into the sources
>Fix:
        The following patch will solve the problem.
--- key.c       2011-05-10 12:06:54.000000000 +0200
+++ key.c.orig  2011-05-10 12:02:11.000000000 +0200
@@ -991,10 +991,8 @@
                                &d->sah->saidx.src.sa,
                                d->sah->saidx.src.sa.sa_len << 3,
                                IPSEC_ULPROTO_ANY);
-                       if (!m) {
-                               m_freem(result);
+                       if (!m)
                                goto msgfail;
-                       }
                        m_cat(result, m);
 
                        /* set sadb_address for saidx's. */
@@ -1002,18 +1000,14 @@
                                &d->sah->saidx.src.sa,
                                d->sah->saidx.src.sa.sa_len << 3,
                                IPSEC_ULPROTO_ANY);
-                       if (!m) {
-                               m_freem(result);
+                       if (!m)
                                goto msgfail;
-                       }
                        m_cat(result, m);
 
                        /* create SA extension */
                        m = key_setsadbsa(d);
-                       if (!m) {
-                               m_freem(result);
+                       if (!m)
                                goto msgfail;
-                       }
                        m_cat(result, m);
 
                        if (result->m_len < sizeof(struct sadb_msg)) {

>Unformatted:
        
        


Home | Main Index | Thread Index | Old Index