[Openswan dev] There may be memory leak in KLIPS?

[ifwang at yeah.net]

In ipsec_rcv.c,
int ipsec_rcv_decap(struct ipsec_rcv_state *irs)
...
line 835:         decap_stat = ipsec_rcv_decap_once(irs, proto_funcs);

		if(decap_stat != IPSEC_RCV_OK) {
			spin_unlock(&tdb_lock);
			KLIPS_PRINT(debug_rcv,
				    "klips_debug:ipsec_rcv: decap_once failed: %d\n",
				    decap_stat);
		
			goto rcvleave;
                   }
...
line 1194:  
rcvleave:
	if(skb) {
		ipsec_kfree_skb(skb);
	}

	KLIPS_DEC_USE;
	return(0);
if return value of ipsec_rcv_decap_once is not IPSEC_RCV_OK, it will return 0 to ipsec_rcv and does not free skb.
In ipsec_rcv(struct sk_buff *skb
#ifndef PROTO_HANDLER_SINGLE_PARM
	  unsigned short xlen
#endif /* PROTO_HANDLER_SINGLE_PARM */
	  )
line 782,
         ipsec_rcv_decap(irs);
	KLIPS_DEC_USE;
	return(0);
Thus, if in some cases, such as it receives duplicate esp packet, the packet will neither be decapsulated nor be freed, which will cause memory leak in kernel space.

It may be resolved by add a line in ipsec_rcv_decap,
line 842, 
         skb = irs->skb;

BTW, the version is openswan 2.4.4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20061128/7bf6d8c9/attachment.html