ikev2_parse_child_sa_body() creates a new struct db_sa *p2alg and fills it using kernel_alg_makedb()
kernel_alg_makedb() creates a copy (but does not set the dynamic bool) Then its converted using p2alg = sa_v2_convert(p2alg); (which does not make a copy because dynamic is not set. The original is modified. Then ikev2_match_transform_list_child() is called with it, which also does not modify it. then ikev2_parse_child_sa_body() ends, leaking the db_sa. I think we are okay with free'ing it in ikev2_parse_child_sa_body() but I'd like someone else to verify the code path. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
