[Openswan dev] [PATCH] fix SA leaks in openswan 2.6.22 when using klips

David McCullough David_Mccullough at securecomputing.com
Tue Aug 4 09:50:35 EDT 2009


Jivin willer.wang at cybertan.com.tw lays it down ...
> Hi,
> 	I have tested this patch, it works.
> 	The expired SA will be removed and HW OCF resource can be freed correctly.
> 	But I found another problem when using this patch,
> 	I established 5 tunnels, and all ipsec_lifetime=60(s).
> 	After 21 hours, all tunnels disconnected.
> 	And console keeps showing  
> 	"ipsec_SAref_alloc: unexpected error, 
> 	refFreeListHead = 102 point to invalid entry"
> 
> 	It seems that if total SA ref number > 2^15.
> 	The sadb became crashed.
> 	Can someone give me advice or direction about this problem ?

That sounds like you need Martins patch posted to the dev list a few days back.
I have attached it here to save looking,  would be good if you can test with
this one,

Cheers,
Davidm

> -----Original Message-----
> From: David McCullough [mailto:David_Mccullough at securecomputing.com] 
> Sent: Monday, August 03, 2009 9:52 AM
> To: users at openswan.org; dev at openswan.org
> Cc: Willer Wang 王明偉 (52216); Martin Schiller
> Subject: [PATCH] fix SA leaks in openswan 2.6.22 when using klips
> 
> 
> Hi all,
> 
> Here's the followup to some of the SA problems people have been seeing.
> Two patches,  the refcount patch is the minimum required, the tracking patch
> includes the debug code I used to clean up the refcount usage.
> 
> I have been rekeying tunnels every minute for most of the weekend with this
> applied.  Let me know if you have any problems.  Just note that this patch
> doesn't include Martins patch from last week.
> 
> Cheers,
> Davidm
> 
> -- 
> David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
> McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org
> 
> ====================================================================
> 
> This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or
> confidential information that is the property of CyberTAN and protected by law from disclosure.
> If you are not an intended recipient of this transmission and you received it in error,
> please inform the sender by reply e-mail and destroy this and all other copies of this transmission
> to which you have access. Thank you.
> 

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_sa_recycle.patch
Type: text/x-diff
Size: 2149 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20090804/b34c6b81/attachment.bin 


More information about the Dev mailing list