NetBSD Problem Report #44948
From Wolfgang.Stukenbrock@nagler-company.com Tue May 10 10:18:28 2011
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 3939363BBC7
for <gnats-bugs@gnats.NetBSD.org>; Tue, 10 May 2011 10:18:28 +0000 (UTC)
Message-Id: <20110510101817.AF7361E80D1@test-s0.nagler-company.com>
Date: Tue, 10 May 2011 12:18:17 +0200 (CEST)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: memory whole in netipsec/key.c - may loose mbuf's
X-Send-Pr-Version: 3.95
>Number: 44948
>Category: kern
>Synopsis: memory whole in netipsec/key.c - may loose mbuf's
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue May 10 10:20:00 +0000 2011
>Closed-Date: Wed Jul 06 17:26:18 +0000 2011
>Last-Modified: Wed Jul 06 17:26:18 +0000 2011
>Originator: Dr. Wolfgang Stukenbrock
>Release: NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD e010 5.1 NetBSD 5.1 (NSW-svc-ISDN) #2: Thu May 5 13:12:45 CEST 2011 wgstuken@s012:/export/NetBSD-5.1/N+C-build/.OBJDIR_i386/export/NetBSD-5.1/src/sys/arch/i386/compile/NSW-svc-ISDN i386
Architecture: x86_64
Machine: amd64
>Description:
In /usr/src/sys/netipsec/key.c in key_do_allocsa_policy() under some circumstances
a SADB_DELETE message is generated.
If the systems runs out of mbufs (or have other problems) while dooing this, some
already allocated mbufs are not freed again. -> memory whole
>How-To-Repeat:
not relevant - found by a look into the sources
>Fix:
The following patch will solve the problem.
--- key.c 2011-05-10 12:06:54.000000000 +0200
+++ key.c.orig 2011-05-10 12:02:11.000000000 +0200
@@ -991,10 +991,8 @@
&d->sah->saidx.src.sa,
d->sah->saidx.src.sa.sa_len << 3,
IPSEC_ULPROTO_ANY);
- if (!m) {
- m_freem(result);
+ if (!m)
goto msgfail;
- }
m_cat(result, m);
/* set sadb_address for saidx's. */
@@ -1002,18 +1000,14 @@
&d->sah->saidx.src.sa,
d->sah->saidx.src.sa.sa_len << 3,
IPSEC_ULPROTO_ANY);
- if (!m) {
- m_freem(result);
+ if (!m)
goto msgfail;
- }
m_cat(result, m);
/* create SA extension */
m = key_setsadbsa(d);
- if (!m) {
- m_freem(result);
+ if (!m)
goto msgfail;
- }
m_cat(result, m);
if (result->m_len < sizeof(struct sadb_msg)) {
>Release-Note:
>Audit-Trail:
From: "Matthias Drochner" <drochner@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44948 CVS commit: src/sys/netipsec
Date: Tue, 17 May 2011 18:57:03 +0000
Module Name: src
Committed By: drochner
Date: Tue May 17 18:57:02 UTC 2011
Modified Files:
src/sys/netipsec: key.c
Log Message:
cleanup some error handling to avoid memory leaks and doube frees,
from Wolfgang Stukenbrock per PR kern/44948, and part of kern/44952
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/key.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Hauke Fath <hf@spg.tu-darmstadt.de>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org,
Wolfgang.Stukenbrock@nagler-company.com,
"Matthias Drochner" <drochner@NetBSD.org>
Subject: Re: PR/44948 CVS commit: src/sys/netipsec
Date: Wed, 18 May 2011 13:59:08 +0200
At 19:00 Uhr +0000 17.05.2011, Matthias Drochner wrote:
> cleanup some error handling to avoid memory leaks and doube frees,
> from Wolfgang Stukenbrock per PR kern/44948, and part of kern/44952
Is this a potential candidate for a pull-up?
I have an instant panic here while setting up an ipsec tunnel between two
netbsd-5 machines, which I still have to document and send-pr (it's the
remote machine that goes belly-up). _Might_ be related...
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-3281
From: Matthias Drochner <M.Drochner@fz-juelich.de>
To: Hauke Fath <hf@spg.tu-darmstadt.de>
Cc: <gnats-bugs@NetBSD.org>, <kern-bug-people@NetBSD.org>,
<gnats-admin@NetBSD.org>, <Wolfgang.Stukenbrock@nagler-company.com>,
Matthias Drochner <drochner@NetBSD.org>
Subject: Re: PR/44948 CVS commit: src/sys/netipsec
Date: Wed, 18 May 2011 15:20:42 +0200
hf@spg.tu-darmstadt.de said:
> Is this a potential candidate for a pull-up?
This is for FAST_IPSEC, and to get this working well on 5.x
many more pullups would be needed, some of them more invasive.
pfkey stuff is quite similar between KAME IPSEC and FAST_IPSEC,
so it is well possible that some fixes to the latter apply
to KAME as well.
The leaks and double-free fixed here are triggered in error
cases only which are hard to hit, so I'd be surprised if
this was related to your problem.
> instant panic here while setting up an ipsec tunnel
FAST_IPSEC is severly broken on 5.x, in particular on
MP boxes.
Can you tell which part of the code caused it?
best regards
Matthias
---------------------------------------------------------------------------=
---------------------
---------------------------------------------------------------------------=
---------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
---------------------------------------------------------------------------=
---------------------
---------------------------------------------------------------------------=
---------------------
Besuchen Sie uns auf unserem neuen Webauftritt unter www.fz-juelich.de
State-Changed-From-To: open->feedback
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Fri, 27 May 2011 18:06:19 +0000
State-Changed-Why:
this should be fixed in -current (slightly differently)
OK to close?
From: Wolfgang Stukenbrock <Wolfgang.Stukenbrock@nagler-company.com>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org,
Wolfgang.Stukenbrock@nagler-company.com
Subject: Re: PR/44948 CVS commit: src/sys/netipsec
Date: Wed, 06 Jul 2011 12:31:43 +0200
Hi - sorry for the delay.
I thought I've already send an answer ..
The patch looks OK.
I think you can close the report.
Thanks.
W. Stukenbrock
Matthias Drochner wrote:
> The following reply was made to PR kern/44948; it has been noted by GNATS.
>
> From: "Matthias Drochner" <drochner@netbsd.org>
> To: gnats-bugs@gnats.NetBSD.org
> Cc:
> Subject: PR/44948 CVS commit: src/sys/netipsec
> Date: Tue, 17 May 2011 18:57:03 +0000
>
> Module Name: src
> Committed By: drochner
> Date: Tue May 17 18:57:02 UTC 2011
>
> Modified Files:
> src/sys/netipsec: key.c
>
> Log Message:
> cleanup some error handling to avoid memory leaks and doube frees,
> from Wolfgang Stukenbrock per PR kern/44948, and part of kern/44952
>
>
> To generate a diff of this commit:
> cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/key.c
>
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
>
>
>
>
--
Dr. Nagler & Company GmbH
Hauptstraße 9
92253 Schnaittenbach
Tel. +49 9622/71 97-42
Fax +49 9622/71 97-50
Wolfgang.Stukenbrock@nagler-company.com
http://www.nagler-company.com
Hauptsitz: Schnaittenbach
Handelregister: Amberg HRB
Gerichtsstand: Amberg
Steuernummer: 201/118/51825
USt.-ID-Nummer: DE 273143997
Geschäftsführer: Dr. Martin Nagler, Dr. Dr. Karl-Kuno Kunze
State-Changed-From-To: feedback->closed
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Wed, 06 Jul 2011 17:26:18 +0000
State-Changed-Why:
confirmed by submitter
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.