[Openswan Users] keeping SA made OCF resource leak

willer.wang at cybertan.com.tw willer.wang at cybertan.com.tw
Thu Jul 23 02:16:19 EDT 2009

	I found the problem is not in "re SA", it is in "refcount".
	When a SA with refcount >1, and enter the function ipsec_sa_rm( ).
	This SA just be removed from hash table but won't enter ipsec_sa_wipe( ) to 	clean related resource. But I still don't understand the purpose why a deleting 	SA still keeps a refcount >1.Can someone give me some advice about this?


-----Original Message-----
From: David McCullough [mailto:David_Mccullough at securecomputing.com] 
Sent: Wednesday, July 22, 2009 6:47 AM
To: Willer Wang 王明偉 (52216)
Cc: users at openswan.org
Subject: Re: [Openswan Users] keeping SA made OCF resource leak

Jivin willer.wang at cybertan.com.tw lays it down ...
> I found a problem between re SA and OCF.
> When SA replaced, OPENSWAN will keep one more SA than it freed.
> With time goes, there will be lots SAs kept in OPENSWAN.
> It’s ok if OCF is not up.
> But if we using OPENSWAN with OCF, 
> the kept SAs will occupy system resource through OCF. 
> It seems not easy to modify the state machine of re SA.
> Would someone give me advice about this problem?

Which versions of OCF and openswan are you using ?

I can't say I have seen this but I may looking in the wrong place :-)
How are you determining that you are losing SA's ?


David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or
confidential information that is the property of CyberTAN and protected by law from disclosure.
If you are not an intended recipient of this transmission and you received it in error,
please inform the sender by reply e-mail and destroy this and all other copies of this transmission
to which you have access. Thank you.

More information about the Users mailing list