On an IPSec VTI if the reqid is set after the tunnel addresses, a use-after-free occurs: the src parameter of ipsec_set_tunnel is freed when the call to ipsec_delete_tunnel is done since it was part of the saidx.
Details
Details
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
Comment Actions
Thanks, the patch is correct.
But I think we need rework the code to avoid such problem in future, or maybe add some comment, or add inline function like this:
static inline void ipsec_set_policies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT]) { struct secasindex *saidx; int i; for (i = 0; i < IPSEC_SPCOUNT; i++) sc->sp[i] = sp[i]; saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); CK_LIST_INSERT_HEAD(ipsec_srchash(&saidx->src.sa), sc, srchash); }