[Openswan dev] [PATCH] fix SA leaks in openswan 2.6.22 when using klips
David McCullough
David_Mccullough at securecomputing.com
Tue Aug 4 09:50:35 EDT 2009
Jivin willer.wang at cybertan.com.tw lays it down ...
> Hi,
> I have tested this patch, it works.
> The expired SA will be removed and HW OCF resource can be freed correctly.
> But I found another problem when using this patch,
> I established 5 tunnels, and all ipsec_lifetime=60(s).
> After 21 hours, all tunnels disconnected.
> And console keeps showing
> "ipsec_SAref_alloc: unexpected error,
> refFreeListHead = 102 point to invalid entry"
>
> It seems that if total SA ref number > 2^15.
> The sadb became crashed.
> Can someone give me advice or direction about this problem ?
That sounds like you need Martins patch posted to the dev list a few days back.
I have attached it here to save looking, would be good if you can test with
this one,
Cheers,
Davidm
> -----Original Message-----
> From: David McCullough [mailto:David_Mccullough at securecomputing.com]
> Sent: Monday, August 03, 2009 9:52 AM
> To: users at openswan.org; dev at openswan.org
> Cc: Willer Wang 王明偉 (52216); Martin Schiller
> Subject: [PATCH] fix SA leaks in openswan 2.6.22 when using klips
>
>
> Hi all,
>
> Here's the followup to some of the SA problems people have been seeing.
> Two patches, the refcount patch is the minimum required, the tracking patch
> includes the debug code I used to clean up the refcount usage.
>
> I have been rekeying tunnels every minute for most of the weekend with this
> applied. Let me know if you have any problems. Just note that this patch
> doesn't include Martins patch from last week.
>
> Cheers,
> Davidm
>
> --
> David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
> McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
>
> ====================================================================
>
> This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or
> confidential information that is the property of CyberTAN and protected by law from disclosure.
> If you are not an intended recipient of this transmission and you received it in error,
> please inform the sender by reply e-mail and destroy this and all other copies of this transmission
> to which you have access. Thank you.
>
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_sa_recycle.patch
Type: text/x-diff
Size: 2149 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20090804/b34c6b81/attachment.bin
More information about the Dev
mailing list