[Swan-dev] db_sa *p2alg leak in ikev2_parse_child_sa_body()

Paul Wouters paul at nohats.ca
Fri Aug 1 22:20:25 EEST 2014


ikev2_parse_child_sa_body() creates a new  struct db_sa *p2alg and fills
it using kernel_alg_makedb()

kernel_alg_makedb() creates a copy (but does not set the dynamic bool)

Then its converted using p2alg = sa_v2_convert(p2alg); (which does not
make a copy because dynamic is not set. The original is modified.

Then ikev2_match_transform_list_child() is called with it, which also
does not modify it.

then ikev2_parse_child_sa_body() ends, leaking the db_sa.

I think we are okay with free'ing it in ikev2_parse_child_sa_body() but
I'd like someone else to verify the code path.

Paul


More information about the Swan-dev mailing list