[Openswan dev] LEAK_DETECTIVE hits passert()

D. Hugh Redelmeier hugh at mimosa.com
Wed Dec 1 12:53:18 EST 2010


| From: D. Hugh Redelmeier <hugh at mimosa.com>

| The trouble is that in quick_inI1_outR1_cryptocontinue1, the reference
| to *dh comes after it is freed by the call to start_dh_secret a few
| lines earlier.
| 
| Note: this case is STF_INLINE.
| 
| start_dh_secret calls send_crypto_helper_request.
| 
| send_crypto_helper_request decides to do the requrest itself.  In line
| 421 it pfree's the continuation.
| 
| So dh is freed before quick_inI1_outR1_cryptocontinue1 trys to use it
| in line 2043.
| 
| Since I don't really understand the logic, I cannot suggest the right
| fix.

Reading some more code...

quick_inI1_outR1_cryptocontinue1 calls start_dh_secret.

After start_dh_secret returns this code will then execute:

        if(e != STF_SUSPEND) {
            if(dh->md != NULL) {
                complete_v1_state_transition(&qke->md, e);
                if(dh->md) release_md(qke->md);
            }
        }

In the STF_INLINE, this is probably wrong:
quick_inI1_outR1_cryptocontinue1 has already called complete_v1_state_transition
and it has freed *dh.
It called quick_inI1_outR1_cryptocontinue2 which did the release_md too.

So this code would be more correct if the first line were
        if(e != STF_SUSPEND && e != STF_INLINE) {

I'm not asserting that it would actually be correct or even that this is
part of the correct fix.


More information about the Dev mailing list