From atc@death.ath.cx  Tue Apr  8 11:11:23 2008
Return-Path: <atc@death.ath.cx>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 29C7B106566C
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Apr 2008 11:11:23 +0000 (UTC)
	(envelope-from atc@death.ath.cx)
Received: from death.ath.cx (unknown [IPv6:2001:b121:4::213])
	by mx1.freebsd.org (Postfix) with ESMTP id 8682C8FC18
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Apr 2008 11:11:22 +0000 (UTC)
	(envelope-from atc@death.ath.cx)
Received: from death.ath.cx (localhost [127.0.0.1])
	by death.ath.cx (8.13.8/8.13.8) with ESMTP id m38BBEib091586
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 8 Apr 2008 19:11:19 +0800 (CST)
	(envelope-from atc@death.ath.cx)
Received: (from root@localhost)
	by death.ath.cx (8.13.8/8.13.8/Submit) id m38BBErS091585;
	Tue, 8 Apr 2008 19:11:14 +0800 (CST)
	(envelope-from atc)
Message-Id: <200804081111.m38BBErS091585@death.ath.cx>
Date: Tue, 8 Apr 2008 19:11:14 +0800 (CST)
From: susan.lan@zyxel.com.tw
Reply-To: susan.lan@zyxel.com.tw
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0	
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         122563
>Category:       kern
>Synopsis:       [ipsec] KEY_FREESAV() in FreeBSD-Release7.0
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    gnn
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 08 11:20:00 UTC 2008
>Closed-Date:    
>Last-Modified:  Sun May 18 05:02:40 UTC 2014
>Originator:     Yi-Wen Lan
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
System: 2 i386 PCs with FreeBSD7.0-Release 

>Description:
	About the KEY_FREESAV() in key_checkrequest() in key.c:

line 806:
   if (isr->sav != NULL) {
      KEY_FREESAV(&isr->sav);
      isr->sav = NULL;
   }

The codes are only going to free the sav used LAST TIME. For outgoing SA entries, the reference count will be always 2, instead of 1 like incoming SA. I thought the proper place to call KEY_FREESAV() should be ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each transform's output function. Then the SA will be freed after its usage rather than being freed if there's next IPsec packet.

If the above condition is accpeted, then key_delsp() in key.c should not call KEY_FREESAV() in case SA reference count underflow!


>How-To-Repeat:
	Create IPsec tunnel between the 2 PCs; for the outgoing SA, the reference count will always be 2, instead of 1.

>Fix:
	I have solution in description already. 


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Tue Apr 8 12:26:09 UTC 2008 
Responsible-Changed-Why:  
mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122563 
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:02:27 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122563 
>Unformatted:
