ipsec esp: avoid dereferencing freed secasindex

(cherry picked from commit 1a56620b7958cac2b9048589cb730c46958ab539)
2026-02-18 18:20:26 -05:00 · 2024-02-25 12:30:48 +02:00 · 2024-02-25 12:30:48 +02:00 · 7f387adb69
commit 7f387adb69
parent 38a5635de9
1 changed files with 7 additions and 0 deletions
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@ -508,6 +508,13 @@ esp_input_cb(struct cryptop *crp)
 	xd = crp->crp_opaque;
 	CURVNET_SET(xd->vnet);
 	sav = xd->sav;
+	if (sav->state >= SADB_SASTATE_DEAD) {
+		/* saidx is freed */
+		DPRINTF(("%s: dead SA %p spi %#x\n", __func__, sav, sav->spi));
+		ESPSTAT_INC(esps_notdb);
+		error = ESRCH;
+		goto bad;
+	}
 	skip = xd->skip;
 	protoff = xd->protoff;
 	cryptoid = xd->cryptoid;