Diffusion FreeBSD src repository a16771de4c1e

ipsec: Return error code if no matching SA was found
a16771de4c1e
Actions

Description

ipsec: Return error code if no matching SA was found

If we matched SP to a packet, but no associated SA was found
ipsec4_allocsa will return NULL while setting error=0.
This resulted in use after free and potential kernel panic.
Return EINPROGRESS if the case described above instead.

Obtained from: Semihalf
Sponsored by: Stormshield
Differential revision: https://reviews.freebsd.org/D30994

Details

Provenance

kd	Authored on Aug 13 2021, 7:35 AM
wma	Committed on Aug 13 2021, 7:35 AM

Differential Revision

D30994: Return error code if no matching SA was found

Parents

rG6b66194bcb7e: ipsec: Check PMTU before sending a frame.

Branches

Unknown

Tags

Unknown

Event Timeline

wma committed rGa16771de4c1e: ipsec: Return error code if no matching SA was found (authored by kd).Aug 13 2021, 7:35 AM

wma added an edge: D30994: Return error code if no matching SA was found.

Changes (1)

Path

Size

sys/

netipsec/

ipsec_output.c

rGa16771de4c1e

View Options

sys/netipsec/ipsec_output.c