Add TDB reference counting to ipsp_spd_lookup(). If an output

pointer is passed to the function, it will return a refcounted TDB.
The ref happens when ipsp_spd_inp() copies the pointer from
ipo->ipo_tdb.  The caller of ipsp_spd_lookup() has to unref after
using it.
tested by Hrvoje Popovski; OK mvs@ tobhe@

2 files changed, 9 insertions, 4 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index a27f69ac583..a8f240a887f 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.376 2021/12/01 12:51:09 bluhm Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.377 2021/12/03 17:18:34 bluhm Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -523,6 +523,9 @@ done:
 	if (ro == &iproute && ro->ro_rt)
 		rtfree(ro->ro_rt);
 	if_put(ifp);
+#ifdef IPSEC
+	tdb_unref(tdb);
+#endif /* IPSEC */
 	return (error);
 
 bad:
@@ -558,6 +561,7 @@ ip_output_ipsec_lookup(struct mbuf *m, int hlen, struct inpcb *inp,
 		    !memcmp(&tdbi->dst, &tdb->tdb_dst,
 		    sizeof(union sockaddr_union))) {
 			/* no IPsec needed */
+			tdb_unref(tdb);
 			*tdbout = NULL;
 			return 0;
 		}
diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c
index f8fad967149..b1c49b21247 100644
--- a/sys/netinet/ip_spd.c
+++ b/sys/netinet/ip_spd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.107 2021/12/01 12:51:09 bluhm Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.108 2021/12/03 17:18:34 bluhm Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -825,9 +825,10 @@ ipsp_spd_inp(struct mbuf *m, struct inpcb *inp, struct ipsec_policy *ipo,
 
  justreturn:
 	if (tdbout != NULL) {
-		if (ipo != NULL)
+		if (ipo != NULL) {
+			tdb_ref(ipo->ipo_tdb);
 			*tdbout = ipo->ipo_tdb;
-		else
+		} else
 			*tdbout = NULL;
 	}
 	return 0;