From 8ad3d730b52702c792d3fe733dbe367f95eeb17e Mon Sep 17 00:00:00 2001 From: mvs Date: Mon, 19 Jul 2021 14:49:55 +0000 Subject: [PATCH] Remove `ids' from `ipsec_ids_tree' while following ipsp_ids_insert() error path. This fixes use-after-free issue. Also fix debug message mistype pointed by bluhm@ in error path. ok millert@ bluhm@ --- sys/netinet/ip_ipsp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index d4cc147b045..6885bd5ffb8 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.241 2021/07/18 18:19:22 mvs Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.242 2021/07/19 14:49:55 mvs Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -1010,7 +1010,8 @@ ipsp_ids_insert(struct ipsec_ids *ids) if (++ipsec_ids_next_flow == 0) ipsec_ids_next_flow = 1; if (ipsec_ids_next_flow == start_flow) { - DPRINTF("psec_ids_next_flow exhausted %u", + RBT_REMOVE(ipsec_ids_tree, &ipsec_ids_tree, ids); + DPRINTF("ipsec_ids_next_flow exhausted %u", ipsec_ids_next_flow); return NULL; } -- 2.20.1