From fe6e03c1e32639f2d575fda4dc144378597c49c4 Mon Sep 17 00:00:00 2001
From: mbuhl <mbuhl@openbsd.org>
Date: Sun, 13 Nov 2022 21:19:40 +0000
Subject: [PATCH] Make sure csa->csa_bundled is NULL after freeing to prevent a
 possible use after free. ok tobhe@

---
 sbin/iked/config.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/sbin/iked/config.c b/sbin/iked/config.c
index c8afd9702d2..353ccde4039 100644
--- a/sbin/iked/config.c
+++ b/sbin/iked/config.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.88 2022/10/10 11:33:55 tobhe Exp $	*/
+/*	$OpenBSD: config.c,v 1.89 2022/11/13 21:19:40 mbuhl Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -314,7 +314,7 @@ void
 config_free_childsas(struct iked *env, struct iked_childsas *head,
     struct iked_spi *peerspi, struct iked_spi *localspi)
 {
-	struct iked_childsa	*csa, *csatmp, *ipcomp;
+	struct iked_childsa	*csa, *csatmp;
 
 	if (localspi != NULL)
 		bzero(localspi, sizeof(*localspi));
@@ -337,11 +337,14 @@ config_free_childsas(struct iked *env, struct iked_childsas *head,
 			RB_REMOVE(iked_activesas, &env->sc_activesas, csa);
 			(void)pfkey_sa_delete(env, csa);
 		}
-		if ((ipcomp = csa->csa_bundled) != NULL) {
-			log_debug("%s: free IPCOMP %p", __func__, ipcomp);
-			if (ipcomp->csa_loaded)
-				(void)pfkey_sa_delete(env, ipcomp);
-			childsa_free(ipcomp);
+		/* ipcomp */
+		if (csa->csa_bundled != NULL) {
+			log_debug("%s: free IPCOMP %p", __func__,
+			    csa->csa_bundled);
+			if (csa->csa_bundled->csa_loaded)
+				(void)pfkey_sa_delete(env, csa->csa_bundled);
+			childsa_free(csa->csa_bundled);
+			csa->csa_bundled = NULL;
 		}
 		childsa_free(csa);
 		ikestat_inc(env, ikes_csa_removed);
-- 
2.20.1