[Openswan Users] keeping SA made OCF resource leak

David McCullough David_Mccullough at securecomputing.com
Thu Jul 23 23:58:26 EDT 2009 

Jivin willer.wang at cybertan.com.tw lays it down ...
> Hi,
> 	I found the problem is not in "re SA", it is in "refcount".
> 	When a SA with refcount >1, and enter the function ipsec_sa_rm( ).
> 	This SA just be removed from hash table but won't enter ipsec_sa_wipe( ) to 	clean related resource. But I still don't understand the purpose why a deleting 	SA still keeps a refcount >1.Can someone give me some advice about this?

Are you only seeing this on the OPENSWAN 2.6.20 system or both 2.6.20 and
2.6.22 ?

There was some SA/OCF accounting fixes in versions before 2.6.22,  can't
remember exactly which version but 2.6.20 sounds old enough to have the
problem.

If it is happening on both,  sounds like it best to look at where
ipsec_sa_wipe is getting called,  and why ipsec_sa_rm doesn't.

I have been meaning to look at this a bit but haven't got time yet,  sorry
about that.  Hopefully soon if you don't solve it first :-)

Cheers,
Davidm

> -----Original Message-----
> From: David McCullough [mailto:David_Mccullough at securecomputing.com] 
> Sent: Wednesday, July 22, 2009 6:47 AM
> To: Willer Wang 王明偉 (52216)
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] keeping SA made OCF resource leak
> 
> 
> Jivin willer.wang at cybertan.com.tw lays it down ...
> > I found a problem between re SA and OCF.
> > 
> > When SA replaced, OPENSWAN will keep one more SA than it freed.
> > 
> > With time goes, there will be lots SAs kept in OPENSWAN.
> > 
> > It’s ok if OCF is not up.
> > 
> > But if we using OPENSWAN with OCF, 
> > 
> > the kept SAs will occupy system resource through OCF. 
> > 
> >  
> > 
> > It seems not easy to modify the state machine of re SA.
> > 
> > Would someone give me advice about this problem?
> 
> Which versions of OCF and openswan are you using ?
> 
> I can't say I have seen this but I may looking in the wrong place :-)
> How are you determining that you are losing SA's ?
> 
> Cheers,
> Davidm
> 
> -- 
> David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
> McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org
> 
> ====================================================================
> 
> This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or
> confidential information that is the property of CyberTAN and protected by law from disclosure.
> If you are not an intended recipient of this transmission and you received it in error,
> please inform the sender by reply e-mail and destroy this and all other copies of this transmission
> to which you have access. Thank you.
> 

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list