[Swan-dev] db_sa *p2alg leak in ikev2_parse_child_sa_body()
Paul Wouters
paul at nohats.ca
Fri Aug 1 22:20:25 EEST 2014
ikev2_parse_child_sa_body() creates a new struct db_sa *p2alg and fills
it using kernel_alg_makedb()
kernel_alg_makedb() creates a copy (but does not set the dynamic bool)
Then its converted using p2alg = sa_v2_convert(p2alg); (which does not
make a copy because dynamic is not set. The original is modified.
Then ikev2_match_transform_list_child() is called with it, which also
does not modify it.
then ikev2_parse_child_sa_body() ends, leaking the db_sa.
I think we are okay with free'ing it in ikev2_parse_child_sa_body() but
I'd like someone else to verify the code path.
Paul
More information about the Swan-dev
mailing list