Bug 223382

Summary: PFKey SA Update Prevents UDP-Encap SA From Updated Correctly
Product: Base System Reporter: Chinh Nguyen <garrisoncreek>
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Some People CC: ae
Priority: ---    
Version: 11.1-RELEASE   
Hardware: Any   
OS: Any   

Description Chinh Nguyen 2017-11-02 15:08:46 UTC 
When a UDP-encap SA is being updated with port change (e.g., MOBIKE update SA), the updated SA is now an ESP SA.

The bug is in the function key_updateaddresses. Instead of setting up the right NAT info on the new updated SA, it does it on the old SA (which is about to be freed). As a result, the updated SA has an empty NAT-T structure which means ESP.

sys/netipsec/key.c

    newsav->natt = NULL;
    newsav->sah = sah;
    newsav->state = SADB_SASTATE_MATURE;
    error = key_setnatt(sav, mhp);
    if (error != 0)
        goto fail;

When this is patched to:

    error = key_setnatt(newsav, mhp);

UDP-encap info (if any) is preserved.

NOTE: There are other SA address updates, it may be that key_setnatt(sav, mhp) makes sense for them. I have not tested all scenarios.
Comment 1 commit-hook freebsd_committer freebsd_triage 2017-11-03 11:33:21 UTC 
A commit references this bug:

Author: ae
Date: Fri Nov  3 11:33:13 UTC 2017
New revision: 325355
URL: https://svnweb.freebsd.org/changeset/base/325355

Log:
  Use correct pointer in key_updateaddresses() when updating NAT-T config.

  key_updateaddresses() is used to update SA addresses and NAT-T
  configuration in SADB_UPDATE message. This is done using cloning SA
  content from old SA into new one. But addresses and NAT-T configuration
  are taking from SADB_UPDATE message. Use newsa pointer to set NAT-T
  properties into cloned SA.

  PR:		223382
  MFC after:	1 week

Changes:
  head/sys/netipsec/key.c
Comment 2 commit-hook freebsd_committer freebsd_triage 2017-11-10 11:19:47 UTC 
A commit references this bug:

Author: ae
Date: Fri Nov 10 11:19:33 UTC 2017
New revision: 325639
URL: https://svnweb.freebsd.org/changeset/base/325639

Log:
  MFC r325355:
    Use correct pointer in key_updateaddresses() when updating NAT-T config.

    key_updateaddresses() is used to update SA addresses and NAT-T
    configuration in SADB_UPDATE message. This is done using cloning SA
    content from old SA into new one. But addresses and NAT-T configuration
    are taking from SADB_UPDATE message. Use newsa pointer to set NAT-T
    properties into cloned SA.

    PR:		223382

Changes:
_U  stable/11/
  stable/11/sys/netipsec/key.c
Comment 3 Andrey V. Elsukov freebsd_committer freebsd_triage 2017-11-10 11:20:23 UTC 
Fixed in head/ and stable/11. Thanks!