From nobody@FreeBSD.org  Wed Apr 27 12:17:59 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B49A7106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 27 Apr 2011 12:17:59 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id A11EC8FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 27 Apr 2011 12:17:59 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p3RCHxD0084449
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 27 Apr 2011 12:17:59 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p3RCHxBH084448;
	Wed, 27 Apr 2011 12:17:59 GMT
	(envelope-from nobody)
Message-Id: <201104271217.p3RCHxBH084448@red.freebsd.org>
Date: Wed, 27 Apr 2011 12:17:59 GMT
From: Tobias Brunner <tobias@strongswan.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [ipsec][patch] reference to policy in key_spdget is not released
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         156676
>Category:       kern
>Synopsis:       [ipsec][patch] reference to policy in key_spdget is not released
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    vanhu
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 27 12:20:07 UTC 2011
>Closed-Date:    Fri Aug 19 09:34:10 UTC 2011
>Last-Modified:  Fri Aug 19 09:34:10 UTC 2011
>Originator:     Tobias Brunner
>Release:        8.2-RELEASE
>Organization:
strongSwan Project
>Environment:
FreeBSD bsd.localdomain 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Tue Apr 26 17:58:34 CEST 2011     root@bsd.localdomain:/usr/obj/usr/src/sys/IPSEC  i386
>Description:
In key_spdget the reference to the requested policy that gets allocated in key_get_spdbyid is not released (e.g. with a call to KEY_FREESP).

strongSwan, for example, uses SADB_X_SPDGET to query the last use time of a policy in order to check for idleness (and for status reports).  By increasing the reference count with each request, the policies cannot be deleted with a single SPD_X_SPDDELETE anymore.
>How-To-Repeat:

>Fix:
See attached patch...

Patch attached with submission follows:

--- sys/netipsec/key.orig.c	2011-04-27 13:39:43.000000000 +0200
+++ sys/netipsec/key.c	2011-04-27 14:14:24.000000000 +0200
@@ -2273,6 +2273,7 @@
 	u_int32_t id;
 	struct secpolicy *sp;
 	struct mbuf *n;
+	int error;
 
 	IPSEC_ASSERT(so != NULL, ("null socket"));
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -2297,9 +2298,12 @@
 	n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid);
 	if (n != NULL) {
 		m_freem(m);
-		return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
+		error = key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 	} else
-		return key_senderror(so, m, ENOBUFS);
+		error = key_senderror(so, m, ENOBUFS);
+
+	KEY_FREESP(&sp);
+	return error;
 }
 
 /*


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->vanhu 
Responsible-Changed-By: vanhu 
Responsible-Changed-When: Wed Apr 27 12:22:47 UTC 2011 
Responsible-Changed-Why:  
Taking it, I'm already working on similar issues. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=156676 

From: VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To: bug-followup@FreeBSD.org, tobias@strongswan.org
Cc:  
Subject: Re: kern/156676: [ipsec][patch] reference to policy in key_spdget is not released
Date: Thu, 28 Apr 2011 17:51:21 +0200

 Hi.
 
 Bug confirmed.
 
 But why didn't you just call KEY_FREESP(&sp) just after call to
 key_setdumpsp() in your patch ?
 
 key_setdumpsp() will copy all needed informations in mbuf, so sp won't
 be used after that.
 
 
 
 Yvan.

From: Tobias Brunner <tobias@strongswan.org>
To: VANHULLEBUS Yvan <vanhu@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/156676: [ipsec][patch] reference to policy in key_spdget
 is not released
Date: Thu, 28 Apr 2011 18:40:27 +0200

 > But why didn't you just call KEY_FREESP(&sp) just after call to
 > key_setdumpsp() in your patch ?
  >
 > key_setdumpsp() will copy all needed informations in mbuf, so sp won't
 > be used after that.
 
 You are right, would have been a much nicer, more efficient fix.  I was 
 a bit in a hurry and didn't want to break anything and figured that the 
 policy sure won't be needed right before returning from key_spdget, so I 
 just placed KEY_FREESP there.  Please feel free to completely ignore my 
 patch :)
 
 Regards,
 Tobias
 

From: Riaan Kruger <RK@Nanoteq.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>
Cc:  
Subject: Re: kern/156676: [ipsec][patch] reference to policy in key_spdget
 is not released
Date: Mon, 9 May 2011 08:54:06 +0200

 --_002_F46C10D2F60F034BB106EAB4CD7E833C2DE771E266ntqexnanoteqc_
 Content-Type: text/plain; charset="us-ascii"
 content-transfer-encoding: quoted-printable
 
 
 
 I tried the patch on FreeBSD 8.2 Release (with the suggestions from vanhu) a=
 nd there is no more build up of SPDs. Policies are successfully deleted wher=
 e they weren't before the patch was applied.
 
 Riaan
 
 Important Notice:=0A=
 =0A=
 This e-mail and its contents are subject to the Nanoteq (Pty) Ltd e-mail leg=
 al notice available at:=0A=
 http://www.nanoteq.com/corp_profile/disclaimer.asp
 
 
 Important Notice:
 
 This e-mail and its contents are subject to the Nanoteq (Pty) Ltd e-mail legal notice available at:
 http://www.nanoteq.com/corp_profile/disclaimer.asp
 --_002_F46C10D2F60F034BB106EAB4CD7E833C2DE771E266ntqexnanoteqc_
 Content-Type: text/plain; name="patch.txt"
 Content-Description: patch.txt
 Content-Disposition: attachment; filename="patch.txt"; size=675;
 	creation-date="Mon, 09 May 2011 00:39:03 GMT";
 	modification-date="Wed, 04 May 2011 07:15:32 GMT"
 Content-Transfer-Encoding: base64
 
 
 LS0tIHN5cy9uZXRpcHNlYy9rZXkuYy5vcmlnCTIwMTEtMDQtMjkgMTI6MDI6MDMuMDAwMDAwMDAw
 ICswMjAwCisrKyBzeXMvbmV0aXBzZWMva2V5LmMJMjAxMS0wNC0yOSAxMjowMzo1NC4wMDAwMDAw
 MDAgKzAyMDAKQEAgLTIyNzMsNiArMjI3Myw3IEBACiAJdV9pbnQzMl90IGlkOwogCXN0cnVjdCBz
 ZWNwb2xpY3kgKnNwOwogCXN0cnVjdCBtYnVmICpuOworCWludCBlcnJvcjsKIAogCUlQU0VDX0FT
 U0VSVChzbyAhPSBOVUxMLCAoIm51bGwgc29ja2V0IikpOwogCUlQU0VDX0FTU0VSVChtICE9IE5V
 TEwsICgibnVsbCBtYnVmIikpOwpAQCAtMjI5NSwxMSArMjI5NiwxNCBAQAogCX0KIAogCW4gPSBr
 ZXlfc2V0ZHVtcHNwKHNwLCBTQURCX1hfU1BER0VULCAwLCBtaHAtPm1zZy0+c2FkYl9tc2dfcGlk
 KTsKKwlLRVlfRlJFRVNQKCZzcCk7CiAJaWYgKG4gIT0gTlVMTCkgewogCQltX2ZyZWVtKG0pOwot
 CQlyZXR1cm4ga2V5X3NlbmR1cF9tYnVmKHNvLCBuLCBLRVlfU0VORFVQX09ORSk7CisJCWVycm9y
 ID0ga2V5X3NlbmR1cF9tYnVmKHNvLCBuLCBLRVlfU0VORFVQX09ORSk7CiAJfSBlbHNlCi0JCXJl
 dHVybiBrZXlfc2VuZGVycm9yKHNvLCBtLCBFTk9CVUZTKTsKKwkJZXJyb3IgPSBrZXlfc2VuZGVy
 cm9yKHNvLCBtLCBFTk9CVUZTKTsKKworCXJldHVybiBlcnJvcjsKIH0KIAogLyoK
 
 --_002_F46C10D2F60F034BB106EAB4CD7E833C2DE771E266ntqexnanoteqc_--
 
 

From: Riaan Kruger <riaank@gmail.com>
To: bug-followup@FreeBSD.org, tobias@strongswan.org
Cc:  
Subject: Re: kern/156676: [ipsec][patch] reference to policy in key_spdget is
 not released
Date: Mon, 9 May 2011 10:47:58 +0200

 --000e0cd39b2a71933604a2d3e585
 Content-Type: text/plain; charset=ISO-8859-1
 
 Let me try again:
 I tried the attached patch on FreeBSD 8.2 Release (with the
 suggestions from vanhu) and there is no more build up of SPDs.
 Policies are successfully deleted where they weren't before the patch
 was applied.
 
 Riaan
 
 --000e0cd39b2a71933604a2d3e585
 Content-Type: text/plain; charset=US-ASCII; name="patch.txt"
 Content-Disposition: attachment; filename="patch.txt"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_gnh5rd030
 
 LS0tIHN5cy9uZXRpcHNlYy9rZXkuYy5vcmlnCTIwMTEtMDQtMjkgMTI6MDI6MDMuMDAwMDAwMDAw
 ICswMjAwCisrKyBzeXMvbmV0aXBzZWMva2V5LmMJMjAxMS0wNC0yOSAxMjowMzo1NC4wMDAwMDAw
 MDAgKzAyMDAKQEAgLTIyNzMsNiArMjI3Myw3IEBACiAJdV9pbnQzMl90IGlkOwogCXN0cnVjdCBz
 ZWNwb2xpY3kgKnNwOwogCXN0cnVjdCBtYnVmICpuOworCWludCBlcnJvcjsKIAogCUlQU0VDX0FT
 U0VSVChzbyAhPSBOVUxMLCAoIm51bGwgc29ja2V0IikpOwogCUlQU0VDX0FTU0VSVChtICE9IE5V
 TEwsICgibnVsbCBtYnVmIikpOwpAQCAtMjI5NSwxMSArMjI5NiwxNCBAQAogCX0KIAogCW4gPSBr
 ZXlfc2V0ZHVtcHNwKHNwLCBTQURCX1hfU1BER0VULCAwLCBtaHAtPm1zZy0+c2FkYl9tc2dfcGlk
 KTsKKwlLRVlfRlJFRVNQKCZzcCk7CiAJaWYgKG4gIT0gTlVMTCkgewogCQltX2ZyZWVtKG0pOwot
 CQlyZXR1cm4ga2V5X3NlbmR1cF9tYnVmKHNvLCBuLCBLRVlfU0VORFVQX09ORSk7CisJCWVycm9y
 ID0ga2V5X3NlbmR1cF9tYnVmKHNvLCBuLCBLRVlfU0VORFVQX09ORSk7CiAJfSBlbHNlCi0JCXJl
 dHVybiBrZXlfc2VuZGVycm9yKHNvLCBtLCBFTk9CVUZTKTsKKwkJZXJyb3IgPSBrZXlfc2VuZGVy
 cm9yKHNvLCBtLCBFTk9CVUZTKTsKKworCXJldHVybiBlcnJvcjsKIH0KIAogLyoK
 --000e0cd39b2a71933604a2d3e585--
State-Changed-From-To: open->patched 
State-Changed-By: vanhu 
State-Changed-When: Mon May 9 13:18:00 UTC 2011 
State-Changed-Why:  
Fixed on HEAD, MFC to STABLE/8 will follow. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=156676 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/156676: commit references a PR
Date: Mon,  9 May 2011 13:16:30 +0000 (UTC)

 Author: vanhu
 Date: Mon May  9 13:16:21 2011
 New Revision: 221692
 URL: http://svn.freebsd.org/changeset/base/221692
 
 Log:
   Release SP's refcount in key_get_spdbyid().
   
   PR:	156676
   Submitted by: Tobias Brunner (tobias@strongswan.org)
   MFC after:	1 week
 
 Modified:
   head/sys/netipsec/key.c
 
 Modified: head/sys/netipsec/key.c
 ==============================================================================
 --- head/sys/netipsec/key.c	Mon May  9 10:39:15 2011	(r221691)
 +++ head/sys/netipsec/key.c	Mon May  9 13:16:21 2011	(r221692)
 @@ -2283,6 +2283,7 @@ key_spdget(so, m, mhp)
  	}
  
  	n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid);
 +	KEY_FREESP(&sp);
  	if (n != NULL) {
  		m_freem(m);
  		return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/156676: commit references a PR
Date: Fri, 19 Aug 2011 09:06:09 +0000 (UTC)

 Author: vanhu
 Date: Fri Aug 19 09:06:00 2011
 New Revision: 225001
 URL: http://svn.freebsd.org/changeset/base/225001
 
 Log:
   MFC: Release SP's refcount in key_get_spdbyid().
   
   PR: 156676
   Submitted by:	Tobias Brunner (tobias@strongswan.org)
 
 Modified:
   stable/8/sys/netipsec/key.c
 Directory Properties:
   stable/8/sys/   (props changed)
 
 Modified: stable/8/sys/netipsec/key.c
 ==============================================================================
 --- stable/8/sys/netipsec/key.c	Fri Aug 19 09:01:34 2011	(r225000)
 +++ stable/8/sys/netipsec/key.c	Fri Aug 19 09:06:00 2011	(r225001)
 @@ -2292,6 +2292,7 @@ key_spdget(so, m, mhp)
  	}
  
  	n = key_setdumpsp(sp, SADB_X_SPDGET, 0, mhp->msg->sadb_msg_pid);
 +	KEY_FREESP(&sp);
  	if (n != NULL) {
  		m_freem(m);
  		return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: vanhu 
State-Changed-When: Fri Aug 19 09:32:25 UTC 2011 
State-Changed-Why:  
MFC on STABLE/8 done. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=156676 
>Unformatted:
