From kamada@lethe.hongo.wide.ad.jp  Thu Jun  2 12:41:44 2005
Return-Path: <kamada@lethe.hongo.wide.ad.jp>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E653516A41C
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  2 Jun 2005 12:41:44 +0000 (GMT)
	(envelope-from kamada@lethe.hongo.wide.ad.jp)
Received: from lethe.hongo.wide.ad.jp (lethe.hongo.wide.ad.jp [203.178.135.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E69BC43D48
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  2 Jun 2005 12:41:42 +0000 (GMT)
	(envelope-from kamada@lethe.hongo.wide.ad.jp)
Received: from lethe.hongo.wide.ad.jp (localhost [127.0.0.1])
	by lethe.hongo.wide.ad.jp (8.12.11/8.12.11) with ESMTP id j52CfeGQ000329;
	Thu, 2 Jun 2005 21:41:40 +0900 (JST)
	(envelope-from kamada@lethe.hongo.wide.ad.jp)
Received: (from kamada@localhost)
	by lethe.hongo.wide.ad.jp (8.12.11/8.12.11/Submit) id j52CfdKf000328;
	Thu, 2 Jun 2005 21:41:39 +0900 (JST)
	(envelope-from kamada)
Message-Id: <200506021241.j52CfdKf000328@lethe.hongo.wide.ad.jp>
Date: Thu, 2 Jun 2005 21:41:39 +0900 (JST)
From: "KAMADA Ken'ichi" <kamada@nanohz.org>
Reply-To: "KAMADA Ken'ichi" <kamada@nanohz.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: kamada@nanohz.org
Subject: [patch] Deleting non-existent security policy using SADB_X_SPDDELETE2 crashes FreeBSD 4.x
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         81804
>Category:       kern
>Synopsis:       [patch] Deleting non-existent security policy using SADB_X_SPDDELETE2 crashes FreeBSD 4.x
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 02 12:50:02 GMT 2005
>Closed-Date:    Tue Jun 07 12:20:45 GMT 2005
>Last-Modified:  Tue Jun 07 12:20:45 GMT 2005
>Originator:     KAMADA Ken'ichi <kamada@nanohz.org>
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
>Environment:
System: FreeBSD lethe.hongo.wide.ad.jp 4.11-STABLE FreeBSD 4.11-STABLE #15: Thu Jun 2 20:53:04 JST 2005 kamada@lethe.hongo.wide.ad.jp:/usr/obj/usr/src/sys/LETHE i386
with options IPSEC and IPSEC_ESP enabled.

>Description:
The 4.x kernel doesn't return correctly after the check of the existence
of IPsec policy in SADB_X_SPDDELETE2 via PF_KEYv2.
When I try to delete a non-exsitent policy, a NULL pointer is dereferenced
and the kernel crashes.

FreeBSD 5.x doesn't seem to have this problem.

>How-To-Repeat:

>Fix:

patch against FreeBSD: src/sys/netkey/key.c,v 1.16.2.15 2005/01/13 22:30:16 suz Exp

--- sys/netkey/key.c.orig	Fri Jan 14 07:30:16 2005
+++ sys/netkey/key.c	Thu Jun  2 20:09:00 2005
@@ -2092,8 +2092,7 @@
 	if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
 	    mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
 		ipseclog((LOG_DEBUG, "key_spddelete2: invalid message is passed.\n"));
-		key_senderror(so, m, EINVAL);
-		return 0;
+		return key_senderror(so, m, EINVAL);
 	}
 
 	id = ((struct sadb_x_policy *)mhp->ext[SADB_X_EXT_POLICY])->sadb_x_policy_id;
@@ -2101,7 +2100,7 @@
 	/* Is there SP in SPD ? */
 	if ((sp = key_getspbyid(id)) == NULL) {
 		ipseclog((LOG_DEBUG, "key_spddelete2: no SP found id:%u.\n", id));
-		key_senderror(so, m, EINVAL);
+		return key_senderror(so, m, EINVAL);
 	}
 
 	sp->state = IPSEC_SPSTATE_DEAD;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ume 
Responsible-Changed-By: arved 
Responsible-Changed-When: Mon Jun 6 16:12:12 GMT 2005 
Responsible-Changed-Why:  
Over to KAME liaison. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=81804 
State-Changed-From-To: open->closed 
State-Changed-By: ume 
State-Changed-When: Tue Jun 7 12:19:41 GMT 2005 
State-Changed-Why:  
Thanks!  Committed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=81804 
>Unformatted:
