NetBSD Problem Report #53708

From www@NetBSD.org  Wed Nov  7 09:31:26 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 3715C7A1AC
	for <gnats-bugs@gnats.NetBSD.org>; Wed,  7 Nov 2018 09:31:26 +0000 (UTC)
Message-Id: <20181107093124.C8B937A1ED@mollari.NetBSD.org>
Date: Wed,  7 Nov 2018 09:31:24 +0000 (UTC)
From: ozaki-r@iij.ad.jp
Reply-To: ozaki-r@iij.ad.jp
To: gnats-bugs@NetBSD.org
Subject: ipsec: a lingering sah (struct secashead) may force a wrong mode to newly added SAs
X-Send-Pr-Version: www-1.0

>Number:         53708
>Category:       kern
>Synopsis:       ipsec: a lingering sah (struct secashead) may force a wrong mode to newly added SAs
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 07 09:35:00 +0000 2018
>Originator:     Ryota Ozaki
>Release:        -current
>Organization:
IIJ
>Environment:
NetBSD kvm 8.99.25 NetBSD 8.99.25 (KVM) #1569: Tue Nov  6 13:24:47 JST 2018
>Description:
In the kernel, an SA represents as struct secashead (sah) and struct secasvar (sav).
When you create an SA, one sah and one sav are created.  If you delete the SA,
the sav is deleted immediately, however, sah remains for some reasons. After that,
if you create another SA with the same parameters (src/dst) but with a different
mode, then the remaining sah is reused as is wrongly and you'll get a new SA
with the old mode unexpectedly (see below).

The unexpected behavior occurs on add, update and getspi APIs.
>How-To-Repeat:
## start of script
src=10.0.0.1
dst=10.0.0.2
spi=1000

setkey -c <<-EOF
add    $src $dst esp $spi -m transport -E null;
delete $src $dst esp $spi;
add    $src $dst esp $spi -m tunnel -E null;
dump;
flush;
EOF
## end of script

A result looks like this (see "mode=transport").

10.0.0.1 10.0.0.2 
        esp mode=transport spi=1000(0x000003e8) reqid=0(0x00000000)
        E: null 
        seq=0x00000000 replay=0 flags=0x00000040 state=mature 
        created: Nov  7 18:05:41 2018   current: Nov  7 18:05:41 2018
        diff: 0(s)      hard: 0(s)      soft: 0(s)
        last: Nov  6 13:29:06 2018      hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=3260 refcnt=0

>Fix:
Remove an sah immediately when belonging savs disappear and/or
when adding a new SA while there is an SA with a different mode,
remove the old SA or return an error.

Or treat SAs with different modes as different SAs on add/update/getspi.
(I'm not sure if the change is acceptable...)
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.