Page MenuHomeFreeBSD

if_ipsec: use-after-free in ipsec_set_tunnel
Needs ReviewPublic

Authored by jean-francois.hren_stormshield.eu on Sep 12 2022, 12:47 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 28, 12:32 PM
Unknown Object (File)
Dec 14 2022, 3:11 AM

Details

Reviewers
ae
jhb
Summary

On an IPSec VTI if the reqid is set after the tunnel addresses, a use-after-free occurs: the src parameter of ipsec_set_tunnel is freed when the call to ipsec_delete_tunnel is done since it was part of the saidx.

Test Plan

Create an IPSec interface using ifconfig:

ifconfig ipsec0 create
ifconfig ipsec0 tunnel 192.168.0.3 192.168.0.5
ifconfig ipsec0 reqid 100

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

Thanks, the patch is correct.
But I think we need rework the code to avoid such problem in future, or maybe add some comment, or add inline function like this:

static inline void 
ipsec_set_policies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT])
{
        struct secasindex *saidx;
        int i;

        for (i = 0; i < IPSEC_SPCOUNT; i++) 
                sc->sp[i] = sp[i];
        saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
        CK_LIST_INSERT_HEAD(ipsec_srchash(&saidx->src.sa), sc, srchash);
}