The branch main has been updated by wma: URL: https://cgit.FreeBSD.org/src/commit/?id=a16771de4c1e01b52318edfab315d0ba2dce0c65
commit a16771de4c1e01b52318edfab315d0ba2dce0c65 Author: Kornel Duleba <[email protected]> AuthorDate: 2021-08-13 07:35:08 +0000 Commit: Wojciech Macek <[email protected]> CommitDate: 2021-08-13 07:35:08 +0000 ipsec: Return error code if no matching SA was found If we matched SP to a packet, but no associated SA was found ipsec4_allocsa will return NULL while setting error=0. This resulted in use after free and potential kernel panic. Return EINPROGRESS if the case described above instead. Obtained from: Semihalf Sponsored by: Stormshield Differential revision: https://reviews.freebsd.org/D30994 --- sys/netipsec/ipsec_output.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index a817b67fd93e..2f8cc12c526b 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -322,6 +322,12 @@ setdf: sav = ipsec4_allocsa(m, sp, &idx, &error); if (sav == NULL) { key_freesp(&sp); + /* + * No matching SA was found and SADB_ACQUIRE message was generated. + * Since we have matched a SP to this packet drop it silently. + */ + if (error == 0) + error = EINPROGRESS; if (error != EJUSTRETURN) m_freem(m); _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
