When IPSec takes mbuf for processing, it passes it to the crypto(9) subsystem via crypto_dispatch(). Then crypto(9) subsystem via callback calls ipsec_process_done(). In the time when we are processing mbuf in the crypto(9) subsystem, user can delete security policy. This leads to freeing ipsec requests and when crypto(9) system will call callback function, it will do access to already freed memory. To protect from this we will keep reference to used security policy until crypto(9) subsystem finishes the work. And then it will release reference to security policy. Now we don't release reference to SP after calling ipsec[46]_process_packet(). But when it returns error, we should release reference to SP, because no requests were queued to crypto(9).
Details
Details
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
No Lint Coverage - Unit
No Test Coverage
Event Timeline
Comment Actions
I should note, that currently IPSec+crypto(9) does deferred processing only for crypto drivers without CRYPTOCAP_F_SYNC capability. This means that described problem only can be triggered with via_padlock.
Comment Actions
We should take additional reference to SP before processing bundled SA,
because it can be handled synchronously and last reference will be freed
in callback function before we return back.