Author: ae
Date: Wed May 3 09:25:26 2017
New Revision: 317733
URL: https://svnweb.freebsd.org/changeset/base/317733
Log:
MFC r317431:
Fix SP refcount leak.
PCB SP cache acquires extra reference, when SP is stored in the cache.
Release this reference when PCB is destroyed in ipsec_delete_pcbpolicy().
In ipsec_copy_pcbpolicy() release reference to SP in case if sp_in or
sp_out are not NULL.
Reported by: Slawa Olhovchenkov <slw at zxy spb ru>
Modified:
stable/11/sys/netipsec/ipsec_pcb.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netipsec/ipsec_pcb.c
==============================================================================
--- stable/11/sys/netipsec/ipsec_pcb.c Wed May 3 09:23:13 2017
(r317732)
+++ stable/11/sys/netipsec/ipsec_pcb.c Wed May 3 09:25:26 2017
(r317733)
@@ -172,10 +172,10 @@ ipsec_delete_pcbpolicy(struct inpcb *inp
if (inp->inp_sp == NULL)
return (0);
- if (inp->inp_sp->flags & INP_INBOUND_POLICY)
+ if (inp->inp_sp->sp_in != NULL)
key_freesp(&inp->inp_sp->sp_in);
- if (inp->inp_sp->flags & INP_OUTBOUND_POLICY)
+ if (inp->inp_sp->sp_out != NULL)
key_freesp(&inp->inp_sp->sp_out);
free(inp->inp_sp, M_IPSEC_INPCB);
@@ -250,6 +250,8 @@ ipsec_copy_pcbpolicy(struct inpcb *old,
if (sp == NULL)
return (ENOBUFS);
ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_INBOUND);
+ if (new->inp_sp->sp_in != NULL)
+ key_freesp(&new->inp_sp->sp_in);
new->inp_sp->sp_in = sp;
new->inp_sp->flags |= INP_INBOUND_POLICY;
}
@@ -258,6 +260,8 @@ ipsec_copy_pcbpolicy(struct inpcb *old,
if (sp == NULL)
return (ENOBUFS);
ipsec_setspidx_inpcb(new, &sp->spidx, IPSEC_DIR_OUTBOUND);
+ if (new->inp_sp->sp_out != NULL)
+ key_freesp(&new->inp_sp->sp_out);
new->inp_sp->sp_out = sp;
new->inp_sp->flags |= INP_OUTBOUND_POLICY;
}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
