>Number:         36119
>Category:       kern
>Synopsis:       memleak in key_spdget in FAST_IPSEC
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 03 07:55:00 +0000 2007
>Originator:     Karl Knutsson <karl.knutsson@ericsson.com>
>Release:        NetBSD 3.0
>Organization:
	LM Ericsson
>Environment:
System: NetBSD ulinpc54 3.0 NetBSD 3.0 (GENERIC) #0: Tue Jan 24 19:04:56 CET 2006 root@ulinpc54:/usr/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
The policy reference counter isn't decremented in key_spdget which causes 
a memleak. Also the sequence number is ignored when the kernel constructs 
a reply. 
>How-To-Repeat:
Check the amount of memory allocated to key mgmt with vmstat. 
Insert a policy and issue a SADB_X_GET request on it.
Flush the policy database. 
Check the amount of memory allocated to key mgmt again, it should show an
increase. 
>Fix:
Index: key.c
===================================================================
RCS file: /cvsroot/src/sys/netipsec/key.c,v
retrieving revision 1.23
diff -u -r1.23 key.c
--- key.c	28 Feb 2005 17:47:50 -0000	1.23
+++ key.c	29 Mar 2007 09:59:34 -0000
@@ -2255,7 +2255,9 @@
 		return key_senderror(so, m, ENOENT);
 	}
 
-	n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid);
+	n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq, 
+			mhp->msg->sadb_msg_pid);
+	KEY_FREESP(&sp);        /* ref gained by key_getspbyid */
 	if (n != NULL) {
 		m_freem(m);
 		return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);