diff options
| author | Moritz Buhl <mbuhl@cvs.openbsd.org> | 2022-11-11 17:58:15 +0000 |
|---|---|---|
| committer | Moritz Buhl <mbuhl@cvs.openbsd.org> | 2022-11-11 17:58:15 +0000 |
| commit | 8754402055c6364720901d946beb72647b026d9c (patch) | |
| tree | 8ae490f8166a968cf0ce46fb554f5e743320aed7 /sbin/iked | |
| parent | 0c35f403d88b00fd995bc5d1963bb541f4e99307 (diff) | |
Make sure csa->csa_bundled is NULL after freeing to prevent a
possible use after free.
ok tobhe@
Diffstat (limited to 'sbin/iked')
| -rw-r--r-- | sbin/iked/ikev2.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 686ca3bd1b5..798b923f15c 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.357 2022/11/07 22:39:52 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.358 2022/11/11 17:58:14 mbuhl Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -6592,7 +6592,7 @@ int ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, uint8_t saproto, uint64_t spi, uint64_t *spiptr, int cleanup) { - struct iked_childsa *csa, *csatmp = NULL, *ipcomp; + struct iked_childsa *csa, *csatmp = NULL; uint64_t peerspi = 0; int found = 0; @@ -6619,21 +6619,26 @@ ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, uint8_t saproto, if (spi && csa->csa_spi.spi == spi) peerspi = csa->csa_peerspi; - ipcomp = csa->csa_bundled; - if (ipcomp) { - if (ipcomp->csa_loaded) { - if (pfkey_sa_delete(env, ipcomp) != 0) + /* ipcomp */ + if (csa->csa_bundled) { + if (csa->csa_bundled->csa_loaded) { + if (pfkey_sa_delete(env, csa->csa_bundled) != 0) log_info("%s: failed to delete IPCOMP" " SA spi %s", SPI_SA(sa, __func__), - print_spi(ipcomp->csa_spi.spi, - ipcomp->csa_spi.spi_size)); + print_spi( + csa->csa_bundled->csa_spi.spi, + csa->csa_bundled->csa_spi.spi_size + )); else log_debug("%s: deleted IPCOMP SA spi %s", SPI_SA(sa, __func__), - print_spi(ipcomp->csa_spi.spi, - ipcomp->csa_spi.spi_size)); + print_spi( + csa->csa_bundled->csa_spi.spi, + csa->csa_bundled->csa_spi.spi_size + )); } - childsa_free(ipcomp); + childsa_free(csa->csa_bundled); + csa->csa_bundled = NULL; } TAILQ_REMOVE(&sa->sa_childsas, csa, csa_entry); ikestat_inc(env, ikes_csa_removed); |