if_ipsec: use-after-free in ipsec_set_tunnel
Needs ReviewPublic
Actions

Authored by jean-francois.hren_stormshield.eu on Sep 12 2022, 12:47 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Nov 16 2025, 4:59 PM

	Unknown Object (File)
	Nov 16 2025, 11:06 AM

	Unknown Object (File)
	Nov 16 2025, 2:14 AM

	Unknown Object (File)
	Nov 10 2025, 9:22 PM

	Unknown Object (File)
	Nov 10 2025, 7:33 AM

	Unknown Object (File)
	Nov 3 2025, 11:22 PM

	Unknown Object (File)
	Oct 31 2025, 11:21 AM

	Unknown Object (File)
	Oct 31 2025, 1:08 AM

Subscribers

Details

Reviewers

ae
jhb

Summary

On an IPSec VTI if the reqid is set after the tunnel addresses, a use-after-free occurs: the src parameter of ipsec_set_tunnel is freed when the call to ipsec_delete_tunnel is done since it was part of the saidx.

Test Plan

Create an IPSec interface using ifconfig:

ifconfig ipsec0 create
ifconfig ipsec0 tunnel 192.168.0.3 192.168.0.5
ifconfig ipsec0 reqid 100

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

jean-francois.hren_stormshield.eu created this revision.Sep 12 2022, 12:47 PM

Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptSep 12 2022, 12:47 PM

jean-francois.hren_stormshield.eu requested review of this revision.Sep 12 2022, 12:47 PM

Thanks, the patch is correct.
But I think we need rework the code to avoid such problem in future, or maybe add some comment, or add inline function like this:

static inline void 
ipsec_set_policies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT])
{
        struct secasindex *saidx;
        int i;

        for (i = 0; i < IPSEC_SPCOUNT; i++) 
                sc->sp[i] = sp[i];
        saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
        CK_LIST_INSERT_HEAD(ipsec_srchash(&saidx->src.sa), sc, srchash);
}

Revision Contents
Changeset List

Path

Size

sys/

net/

if_ipsec.c

7 lines

Diff 110463

View Options

if_ipsec: use-after-free in ipsec_set_tunnelNeeds ReviewPublicActions