if_ipsec: use-after-free in ipsec_set_tunnel
Needs ReviewPublic
Actions

Authored by jean-francois.hren_stormshield.eu on Sep 12 2022, 12:47 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Feb 2 2024, 12:54 PM

	Unknown Object (File)
	Dec 25 2023, 12:10 AM

	Unknown Object (File)
	Dec 20 2023, 5:50 AM

	Unknown Object (File)
	Aug 25 2023, 1:50 PM

	Unknown Object (File)
	Jul 5 2023, 8:01 AM

	Unknown Object (File)
	Jun 20 2023, 5:51 PM

	Unknown Object (File)
	Jun 8 2023, 3:45 AM

	Unknown Object (File)
	May 12 2023, 4:11 PM

Subscribers

Details

Reviewers

ae
jhb

Summary

On an IPSec VTI if the reqid is set after the tunnel addresses, a use-after-free occurs: the src parameter of ipsec_set_tunnel is freed when the call to ipsec_delete_tunnel is done since it was part of the saidx.

Test Plan

Create an IPSec interface using ifconfig:

ifconfig ipsec0 create
ifconfig ipsec0 tunnel 192.168.0.3 192.168.0.5
ifconfig ipsec0 reqid 100

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

jean-francois.hren_stormshield.eu created this revision.Sep 12 2022, 12:47 PM

Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptSep 12 2022, 12:47 PM

jean-francois.hren_stormshield.eu requested review of this revision.Sep 12 2022, 12:47 PM

Thanks, the patch is correct.
But I think we need rework the code to avoid such problem in future, or maybe add some comment, or add inline function like this:

static inline void 
ipsec_set_policies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT])
{
        struct secasindex *saidx;
        int i;

        for (i = 0; i < IPSEC_SPCOUNT; i++) 
                sc->sp[i] = sp[i];
        saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
        CK_LIST_INSERT_HEAD(ipsec_srchash(&saidx->src.sa), sc, srchash);
}

Revision Contents
Changeset List

Path

Size

sys/

net/

if_ipsec.c

7 lines

Diff 110463

View Options

if_ipsec: use-after-free in ipsec_set_tunnelNeeds ReviewPublicActions