NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/44948: memory whole in netipsec/key.c - may loose mbuf's
>Number: 44948
>Category: kern
>Synopsis: memory whole in netipsec/key.c - may loose mbuf's
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue May 10 10:20:00 +0000 2011
>Originator: Dr. Wolfgang Stukenbrock
>Release: NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD e010 5.1 NetBSD 5.1 (NSW-svc-ISDN) #2: Thu May 5 13:12:45 CEST
2011
wgstuken@s012:/export/NetBSD-5.1/N+C-build/.OBJDIR_i386/export/NetBSD-5.1/src/sys/arch/i386/compile/NSW-svc-ISDN
i386
Architecture: x86_64
Machine: amd64
>Description:
In /usr/src/sys/netipsec/key.c in key_do_allocsa_policy() under some
circumstances
a SADB_DELETE message is generated.
If the systems runs out of mbufs (or have other problems) while dooing
this, some
already allocated mbufs are not freed again. -> memory whole
>How-To-Repeat:
not relevant - found by a look into the sources
>Fix:
The following patch will solve the problem.
--- key.c 2011-05-10 12:06:54.000000000 +0200
+++ key.c.orig 2011-05-10 12:02:11.000000000 +0200
@@ -991,10 +991,8 @@
&d->sah->saidx.src.sa,
d->sah->saidx.src.sa.sa_len << 3,
IPSEC_ULPROTO_ANY);
- if (!m) {
- m_freem(result);
+ if (!m)
goto msgfail;
- }
m_cat(result, m);
/* set sadb_address for saidx's. */
@@ -1002,18 +1000,14 @@
&d->sah->saidx.src.sa,
d->sah->saidx.src.sa.sa_len << 3,
IPSEC_ULPROTO_ANY);
- if (!m) {
- m_freem(result);
+ if (!m)
goto msgfail;
- }
m_cat(result, m);
/* create SA extension */
m = key_setsadbsa(d);
- if (!m) {
- m_freem(result);
+ if (!m)
goto msgfail;
- }
m_cat(result, m);
if (result->m_len < sizeof(struct sadb_msg)) {
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index