[Openswan dev] LEAK_DETECTIVE hits passert()
D. Hugh Redelmeier
hugh at mimosa.com
Wed Dec 1 12:53:18 EST 2010
| From: D. Hugh Redelmeier <hugh at mimosa.com>
| The trouble is that in quick_inI1_outR1_cryptocontinue1, the reference
| to *dh comes after it is freed by the call to start_dh_secret a few
| lines earlier.
|
| Note: this case is STF_INLINE.
|
| start_dh_secret calls send_crypto_helper_request.
|
| send_crypto_helper_request decides to do the requrest itself. In line
| 421 it pfree's the continuation.
|
| So dh is freed before quick_inI1_outR1_cryptocontinue1 trys to use it
| in line 2043.
|
| Since I don't really understand the logic, I cannot suggest the right
| fix.
Reading some more code...
quick_inI1_outR1_cryptocontinue1 calls start_dh_secret.
After start_dh_secret returns this code will then execute:
if(e != STF_SUSPEND) {
if(dh->md != NULL) {
complete_v1_state_transition(&qke->md, e);
if(dh->md) release_md(qke->md);
}
}
In the STF_INLINE, this is probably wrong:
quick_inI1_outR1_cryptocontinue1 has already called complete_v1_state_transition
and it has freed *dh.
It called quick_inI1_outR1_cryptocontinue2 which did the release_md too.
So this code would be more correct if the first line were
if(e != STF_SUSPEND && e != STF_INLINE) {
I'm not asserting that it would actually be correct or even that this is
part of the correct fix.
More information about the Dev
mailing list