From 1e7cbde51bbd16b88f2766efbfbc1ab82db35eb7 Mon Sep 17 00:00:00 2001 From: markus Date: Tue, 6 May 2014 09:21:50 +0000 Subject: [PATCH] don't sa_free() in the receive path (prevents use-after-free); ok mikeb@ --- sbin/iked/ikev2_pld.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c index 84f0af0bf76..e46da1b13d5 100644 --- a/sbin/iked/ikev2_pld.c +++ b/sbin/iked/ikev2_pld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_pld.c,v 1.43 2014/05/06 07:45:17 markus Exp $ */ +/* $OpenBSD: ikev2_pld.c,v 1.44 2014/05/06 09:21:50 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -1166,7 +1166,7 @@ ikev2_pld_notify(struct iked *env, struct ikev2_payload *pld, /* XXX chould also happen for PFS */ if (!msg->msg_sa->sa_hdr.sh_initiator) { log_debug("%s: not an initiator", __func__); - sa_free(env, msg->msg_sa); + sa_state(env, msg->msg_sa, IKEV2_STATE_CLOSED); msg->msg_sa = NULL; return (-1); } @@ -1180,7 +1180,7 @@ ikev2_pld_notify(struct iked *env, struct ikev2_payload *pld, } log_debug("%s: responder selected DH group %d", __func__, group); - sa_free(env, msg->msg_sa); + sa_state(env, msg->msg_sa, IKEV2_STATE_CLOSED); msg->msg_sa = NULL; /* XXX chould also happen for PFS so we have to check state XXX*/ timer_set(env, &env->sc_inittmr, ikev2_init_ike_sa, NULL); -- 2.20.1